Solved: Suppression in Es by applying time limit

fahimeh · ‎08-27-2024

Hello,

I want to write a suppression in Splunk ES that suppresses an event if a specific process occurs at 11 AM every day. This limitation should be applied to the raw logs because the ES rules execute within a specific time cycle and create notable events. My goal is to suppress the event when the rule runs, but only if the specific process exists at 11 AM.

How can I apply this time constraint in the suppression? Can I do this through the search I write? How?

How can I implement this time constraint on raw data? I need to limit the time in the raw event.

gcusello · ‎08-27-2024

Hi @fahimeh ,

use the rule you need, e.g. if the haour cannot be 11 AM, you can insert in your search time_hour|=11.

It depends on your requirements.

Ciao.

Giuseppe

View solution in original post

gcusello · ‎08-27-2024

Hi @fahimeh ,

a suppression rule is a search that you can build as you need, containing also the time rules.

Ciao.

Giuseppe

fahimeh · ‎08-27-2024

Thank you for your reply

Which time rules can I use in a search? Most time-related commands include | (like eval).

gcusello · ‎08-27-2024

Hi @fahimeh ,

use the rule you need, e.g. if the haour cannot be 11 AM, you can insert in your search time_hour|=11.

It depends on your requirements.

Ciao.

Giuseppe

fahimeh · ‎08-27-2024

thank you🌸
I will test and tell you exactly how it worked.

gcusello · ‎08-27-2024

Hi @fahimeh ,

good for you, see next time!

let me know if I can help you more, or, please, accept one answer for the other people of Community.

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated 😉

Suppression in Es by applying time limit

Other

Now Available: Cisco Talos Threat Intelligence Integrations for Splunk Security Cloud ...

Preparing your Splunk Environment for OpenSSL3

Easily Improve Agent Saturation with the Splunk Add-on for OpenTelemetry Collector