Splunk Enterprise Security
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Where are Noteable Event Suppressions stored in Splunk?

echojacques
Builder
‎08-28-2013 10:51 AM

In Enterprise Security, you can configure Notable Event Suppressions. When adding/editing a suppression, which file exactly is getting updated within Splunk? I've been looking in /etc/apps/SplunkEnterpriseSecuritySuite but I haven't found the file there (yet).

The reason I ask is because I edited a suppression and now the 'notable event suppression' GUI doesn't work and I need to manually fix the suppression by modifying it in the file system.

Thanks

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

jmckean_splunk
Splunk Employee
Splunk Employee
‎08-28-2013 12:41 PM

Hi. Do you mean the GUI doesn't display at all? This section in the ES docs describes how to create a new suppression: http://docs.splunk.com/Documentation/ES/latest/Install/NotableEventSuppression#Suppress_notable_even... with the names of the files you would need to edit. You might check there first.

View solution in original post

Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎05-19-2022 11:44 AM

They are stored as `eventtypes`.  Search for "notable_suppression".

Reply
Solved! Jump to solution

morethanyell
Builder
‎09-25-2019 03:47 PM

Feels like this question remains unanswered.

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎08-19-2023 07:16 AM

See my answer.  The accepted answer is useless.

0 Karma
Reply
Solved! Jump to solution
Solution

jmckean_splunk
Splunk Employee
Splunk Employee
‎08-28-2013 12:41 PM

Hi. Do you mean the GUI doesn't display at all? This section in the ES docs describes how to create a new suppression: http://docs.splunk.com/Documentation/ES/latest/Install/NotableEventSuppression#Suppress_notable_even... with the names of the files you would need to edit. You might check there first.

Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎05-19-2022 11:43 AM

Why was this answer accepted?  It does not answer the question AT ALL!  See my answer which does.

Reply
Solved! Jump to solution

echojacques
Builder
‎08-28-2013 12:55 PM

Hi, I broke the GUI/webpage by blanking out the description and search fields in a suppression. If you do this, then you will get a webpage rendering error when trying to view the Notable Event Suppressions from within the GUI, I guess it doesn't know how to display a blank suppression.

I was able to find the .conf file and edit the file manually which fixed the GUI problem. This is the file that I was looking for (it's also referenced in the document you mentioned) that stores all of the event suppressions (that the GUI reads from):

etc/apps/SA-ThreatIntelligence/local/eventtypes.conf
Reply
Solved! Jump to solution

sarcome
Explorer
‎09-23-2024 07:10 AM

This is the right answer

0 Karma
Reply
Get Updates on the Splunk Community!

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Unleash Unified Security and Observability with Splunk Cloud Platform

     Now Available on Microsoft AzureThursday, March 27, 2025  |  11AM PST / 2PM EST | Register NowStep boldly ...

Splunk AppDynamics with Cisco Secure Application

Web applications unfortunately present a target rich environment for security vulnerabilities and attacks. ...
Top