Splunk Enterprise Security: Top Notable Event Sour...

shandman · ‎02-23-2018

Is there a "simple" way to whitelist an IP address that is showing up in the "Top Notable Event Soucres", within Splunk Enterprise Security?

rkoster · ‎10-31-2018

You can generate fewer notable events from that source IP address (i.e. tune the correlation searches that are triggering with that src) as Martin suggests or you can modify the report that is used to populate that panel (Report Name: Notable - Top Notable Event Sources).

| `es_notable_events` 
| search timeDiff_type=current src!=unknown src!="<whitelisted address>" 
| stats sparkline(sum(count),30m) as sparkline,dc(rule_name) as correlation_search_count,dc(security_domain) as security_domain_count,sum(count) as count by src 
| sort 100 - count,correlation_search_count

martin_mueller · ‎02-24-2018

Generate fewer notable events for that IP 😛

Splunk Enterprise Security: Top Notable Event Sources: Whitelist

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Automating Threat Operations and Threat Hunting with Recorded Future

Join the Conversation