Solved: How to display warning based on SPL?

jonaclough · ‎05-03-2022

Is there a way of showing a warning to the user based on their SPL.

My use case is that users should not generally search indexes which are fed into an accelerated data model. Specifically it's faster and more accurate to search the network_traffic ADM than a firewall index.

gcusello · ‎05-03-2022

Hi @jonaclough,

sorry: it isn't possible to define an automatic warning because it depends only on your specific data and it's also infruenced by other factors.

The only possible approach (for my knowledge) is the definition of a list of tips to use your data to share to all your users.

A kind of quick reference guide to use your own data.

Ciao.

Giuseppe

View solution in original post

gcusello · ‎05-03-2022

Hi @jonaclough,

sorry: it isn't possible to define an automatic warning because it depends only on your specific data and it's also infruenced by other factors.

The only possible approach (for my knowledge) is the definition of a list of tips to use your data to share to all your users.

A kind of quick reference guide to use your own data.

Ciao.

Giuseppe

jonaclough · ‎05-03-2022

If admission rules had an extra rule action option "issue warning" rather than just "filter search" that would do the job.

How to display warning based on SPL?

Other

Video | Welcome Back to Smartness, Pedro

Detector Best Practices: Static Thresholds

Expert Tips from Splunk Education, Observability in Action, Plus More New Articles on ...