Splunk Enterprise Security

Splunk Enterprise Security: How to display all notable events and indicate which ones were suppressed?

Path Finder

My SOC wants a page showing all recent notables, and which ones were suppressed by the current suppression rules. Obviously I can list notables with


but how can I easily indicate the ones that actually showed up in Incident Review vs. the ones that were suppressed?

0 Karma

Path Finder

There are built in macros that can assist with what you're trying to do.



`notable` | search NOT `suppression`

And you can take it from there with however else you want to proceed. We use one like this in a bubble chart viz to track notables that aren't suppressed, and their delta over the previous day, over 30 days.

`notable` | search eventtype!=notable_suppression* | bin _time span=24h  |stats count by _time, search_name | streamstats window=2 global=f current=t first(count) as previous by search_name | eval delta=count-previous | eval time=_time | table search_name, time, delta, count

Another option would be to use the incident_review macro:

| `incident_review`

That will only track notables that have been actioned somehow (hence tracked in the incident review KV store).

More information can be found here: http://dev.splunk.com/view/enterprise-security/SP-CAAAFBA

Hope that helps!

Get Updates on the Splunk Community!

Dashboard Studio Challenge - Learn New Tricks, Showcase Your Skills, and Win Prizes!

Reimagine what you can do with your dashboards. Dashboard Studio is Splunk’s newest dashboard builder to ...

Introducing Edge Processor: Next Gen Data Transformation

We get it - not only can it take a lot of time, money and resources to get data into Splunk, but it also takes ...

Take the 2021 Splunk Career Survey for $50 in Amazon Cash

Help us learn about how Splunk has impacted your career by taking the 2021 Splunk Career Survey. Last year’s ...