Splunk Enterprise Security

Where are Noteable Event Suppressions stored in Splunk?

echojacques
Builder

In Enterprise Security, you can configure Notable Event Suppressions. When adding/editing a suppression, which file exactly is getting updated within Splunk? I've been looking in /etc/apps/SplunkEnterpriseSecuritySuite but I haven't found the file there (yet).

The reason I ask is because I edited a suppression and now the 'notable event suppression' GUI doesn't work and I need to manually fix the suppression by modifying it in the file system.

Thanks

0 Karma
1 Solution

jmckean_splunk
Splunk Employee
Splunk Employee

Hi. Do you mean the GUI doesn't display at all? This section in the ES docs describes how to create a new suppression: http://docs.splunk.com/Documentation/ES/latest/Install/NotableEventSuppression#Suppress_notable_even... with the names of the files you would need to edit. You might check there first.

View solution in original post

woodcock
Esteemed Legend

They are stored as `eventtypes`.  Search for "notable_suppression".

morethanyell
Builder

Feels like this question remains unanswered.

0 Karma

woodcock
Esteemed Legend

See my answer.  The accepted answer is useless.

0 Karma

jmckean_splunk
Splunk Employee
Splunk Employee

Hi. Do you mean the GUI doesn't display at all? This section in the ES docs describes how to create a new suppression: http://docs.splunk.com/Documentation/ES/latest/Install/NotableEventSuppression#Suppress_notable_even... with the names of the files you would need to edit. You might check there first.

woodcock
Esteemed Legend

Why was this answer accepted?  It does not answer the question AT ALL!  See my answer which does.

echojacques
Builder

Hi, I broke the GUI/webpage by blanking out the description and search fields in a suppression. If you do this, then you will get a webpage rendering error when trying to view the Notable Event Suppressions from within the GUI, I guess it doesn't know how to display a blank suppression.

I was able to find the .conf file and edit the file manually which fixed the GUI problem. This is the file that I was looking for (it's also referenced in the document you mentioned) that stores all of the event suppressions (that the GUI reads from):

etc/apps/SA-ThreatIntelligence/local/eventtypes.conf

sarcome
Explorer

This is the right answer

0 Karma
Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...