Splunk Enterprise Security
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Where can I view created notable alert suppression entries in ES?

hperez
Explorer
‎11-23-2022 05:23 AM

Hello,

 

Where can I view notable alert suppression entries in ES? I'm looking for a way to not only audit these entries but also remove them.

0 Karma
Reply

aakwah
Builder
‎12-20-2022 02:20 AM

You can delete Suppressions from "Event types" page.

Reply

starcher
Influencer
‎12-12-2022 06:09 AM

Rich gave the stock answer.

If you also want to make a search start with this.

| rest splunk_server=local servicesNS/-/-/saved/eventtypes 
| search title=notable_suppression-* disabled=0 
| rename eai:acl.app as app, title as object, search as command, updated as last_updated_readable 
| table disabled, app, object, description, last_updated_readable, command 
| eval _time=strptime(last_updated_readable,"%Y-%m-%dT%H:%M:%S%z") 
| eval isRecent=if(_time>relative_time(now(),"-1h"),true(),null()) 
| where isnotnull(isRecent)  
| rex field=command "_time\>(\=){0,1}(?P<start_time>\d+)" 
| eval start_time_readable=strftime(start_time,"%Y-%m-%dT%H:%M:%S.%f%z") 
| rex field=command "_time\<(\=){0,1}(?P<end_time>\d+)" 
| eval end_time_readable=strftime(end_time,"%Y-%m-%dT%H:%M:%S.%f%z") 
| eval end_time_large=if(end_time>relative_time(now(),"+90d"),true(),null()) 
| eval duration=end_time-start_time 
| `uptime2string(duration,duration_readable)` 
| append 
    [ search eventtype=suppression_audit 
    | fillnull value=unknown suppression, status, user 
    | fillnull value=modified action 
    | table _time, suppression, action, status, user 
    | eval object="notable_suppression-".suppression] 
| eventstats values(user) as user, values(action) as action, values(status) as status by object 
| where isnull(suppression) 
| fillnull value=modified action 
| fillnull value=unknown user 
| rex mode=sed field=action "s/create/created/"
| rex mode=sed field=action "s/edit/modified/"
| `get_identity4events(user)` 
| fields - command

  

Reply

richgalloway
SplunkTrust
SplunkTrust
‎11-23-2022 11:29 AM

You can view and disable notable event suppressions at Configure->Incident Management->Notable Event Suppressions.  I'm not aware of a way to delete a suppression, but disabling them should have the same effect.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

lblystone
Splunk Employee
Splunk Employee
‎01-06-2023 09:43 AM

You can delete notable event suppressions by going to Settings > eventtypes and searching for the suppression that you want to delete. Here is the link to the Splunk doc on that: https://docs.splunk.com/Documentation/ES/7.0.2/Admin/Customizenotables

However for tracking/audit purposes, it is probably better to just disable them. 

0 Karma
Reply
Get Updates on the Splunk Community!

Dashboards: Hiding charts while search is being executed and other uses for tokens

There are a couple of features of SimpleXML / Classic dashboards that can be used to enhance the user ...

Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...

This is the fourth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how ...

Brains, Bytes, and Boston: Learn from the Best at .conf25

When you think of Boston, you might picture colonial charm, world-class universities, or even the crack of a ...