Splunk Search

Suppression in Es by applying time limit

fahimeh
Explorer

Hello,

I want to write a suppression in Splunk ES that suppresses an event if a specific process occurs at 11 AM every day. This limitation should be applied to the raw logs because the ES rules execute within a specific time cycle and create notable events. My goal is to suppress the event when the rule runs, but only if the specific process exists at 11 AM.

How can I apply this time constraint in the suppression? Can I do this through the search I write? How?

How can I implement this time constraint on raw data? I need to limit the time in the raw event.

 

Labels (1)
0 Karma
1 Solution

gcusello
SplunkTrust
SplunkTrust

Hi @fahimeh ,

use the rule you need, e.g. if the haour cannot be 11 AM, you can insert in your search time_hour|=11.

It depends on your requirements.

Ciao.

Giuseppe

View solution in original post

gcusello
SplunkTrust
SplunkTrust

Hi @fahimeh ,

a suppression rule is a search that you can build as you need, containing also the time rules.

Ciao.

Giuseppe

0 Karma

fahimeh
Explorer
Thank you for your reply

Which time rules can I use in a search? Most time-related commands include | (like eval).

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @fahimeh ,

use the rule you need, e.g. if the haour cannot be 11 AM, you can insert in your search time_hour|=11.

It depends on your requirements.

Ciao.

Giuseppe

fahimeh
Explorer

thank you🌸
I will test and tell you exactly how it worked.

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @fahimeh ,

good for you, see next time!

let me know if I can help you more, or, please, accept one answer for the other people of Community.

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated 😉

0 Karma
Get Updates on the Splunk Community!

Message Parsing in SOCK

Introduction This blog post is part of an ongoing series on SOCK enablement. In this blog post, I will write ...

Exploring the OpenTelemetry Collector’s Kubernetes annotation-based discovery

We’ve already explored a few topics around observability in a Kubernetes environment -- Common Failures in a ...

Use ‘em or lose ‘em | Splunk training units do expire

Whether it’s hummus, a ham sandwich, or a human, almost everything in this world has an expiration date. And, ...