Hello,
Where can I view notable alert suppression entries in ES? I'm looking for a way to not only audit these entries but also remove them.
You can delete Suppressions from "Event types" page.
Rich gave the stock answer.
If you also want to make a search start with this.
| rest splunk_server=local servicesNS/-/-/saved/eventtypes
| search title=notable_suppression-* disabled=0
| rename eai:acl.app as app, title as object, search as command, updated as last_updated_readable
| table disabled, app, object, description, last_updated_readable, command
| eval _time=strptime(last_updated_readable,"%Y-%m-%dT%H:%M:%S%z")
| eval isRecent=if(_time>relative_time(now(),"-1h"),true(),null())
| where isnotnull(isRecent)
| rex field=command "_time\>(\=){0,1}(?P<start_time>\d+)"
| eval start_time_readable=strftime(start_time,"%Y-%m-%dT%H:%M:%S.%f%z")
| rex field=command "_time\<(\=){0,1}(?P<end_time>\d+)"
| eval end_time_readable=strftime(end_time,"%Y-%m-%dT%H:%M:%S.%f%z")
| eval end_time_large=if(end_time>relative_time(now(),"+90d"),true(),null())
| eval duration=end_time-start_time
| `uptime2string(duration,duration_readable)`
| append
[ search eventtype=suppression_audit
| fillnull value=unknown suppression, status, user
| fillnull value=modified action
| table _time, suppression, action, status, user
| eval object="notable_suppression-".suppression]
| eventstats values(user) as user, values(action) as action, values(status) as status by object
| where isnull(suppression)
| fillnull value=modified action
| fillnull value=unknown user
| rex mode=sed field=action "s/create/created/"
| rex mode=sed field=action "s/edit/modified/"
| `get_identity4events(user)`
| fields - command
You can view and disable notable event suppressions at Configure->Incident Management->Notable Event Suppressions. I'm not aware of a way to delete a suppression, but disabling them should have the same effect.
You can delete notable event suppressions by going to Settings > eventtypes and searching for the suppression that you want to delete. Here is the link to the Splunk doc on that: https://docs.splunk.com/Documentation/ES/7.0.2/Admin/Customizenotables
However for tracking/audit purposes, it is probably better to just disable them.