In Enterprise Security, you can configure Notable Event Suppressions. When adding/editing a suppression, which file exactly is getting updated within Splunk? I've been looking in /etc/apps/SplunkEnterpriseSecuritySuite but I haven't found the file there (yet).
The reason I ask is because I edited a suppression and now the 'notable event suppression' GUI doesn't work and I need to manually fix the suppression by modifying it in the file system.
Thanks
Hi. Do you mean the GUI doesn't display at all? This section in the ES docs describes how to create a new suppression: http://docs.splunk.com/Documentation/ES/latest/Install/NotableEventSuppression#Suppress_notable_even... with the names of the files you would need to edit. You might check there first.
They are stored as `eventtypes`. Search for "notable_suppression".
Feels like this question remains unanswered.
See my answer. The accepted answer is useless.
Hi. Do you mean the GUI doesn't display at all? This section in the ES docs describes how to create a new suppression: http://docs.splunk.com/Documentation/ES/latest/Install/NotableEventSuppression#Suppress_notable_even... with the names of the files you would need to edit. You might check there first.
Why was this answer accepted? It does not answer the question AT ALL! See my answer which does.
Hi, I broke the GUI/webpage by blanking out the description and search fields in a suppression. If you do this, then you will get a webpage rendering error when trying to view the Notable Event Suppressions from within the GUI, I guess it doesn't know how to display a blank suppression.
I was able to find the .conf file and edit the file manually which fixed the GUI problem. This is the file that I was looking for (it's also referenced in the document you mentioned) that stores all of the event suppressions (that the GUI reads from):
etc/apps/SA-ThreatIntelligence/local/eventtypes.conf
This is the right answer