Splunk Enterprise Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Where are Noteable Event Suppressions stored in Splunk?

echojacques
Builder
‎08-28-2013 10:51 AM

In Enterprise Security, you can configure Notable Event Suppressions. When adding/editing a suppression, which file exactly is getting updated within Splunk? I've been looking in /etc/apps/SplunkEnterpriseSecuritySuite but I haven't found the file there (yet).

The reason I ask is because I edited a suppression and now the 'notable event suppression' GUI doesn't work and I need to manually fix the suppression by modifying it in the file system.

Thanks

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

jmckean_splunk
Splunk Employee
Splunk Employee
‎08-28-2013 12:41 PM

Hi. Do you mean the GUI doesn't display at all? This section in the ES docs describes how to create a new suppression: http://docs.splunk.com/Documentation/ES/latest/Install/NotableEventSuppression#Suppress_notable_even... with the names of the files you would need to edit. You might check there first.

View solution in original post

Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎05-19-2022 11:44 AM

They are stored as `eventtypes`.  Search for "notable_suppression".

Reply
Solved! Jump to solution

morethanyell
Builder
‎09-25-2019 03:47 PM

Feels like this question remains unanswered.

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎08-19-2023 07:16 AM

See my answer.  The accepted answer is useless.

0 Karma
Reply
Solved! Jump to solution
Solution

jmckean_splunk
Splunk Employee
Splunk Employee
‎08-28-2013 12:41 PM

Hi. Do you mean the GUI doesn't display at all? This section in the ES docs describes how to create a new suppression: http://docs.splunk.com/Documentation/ES/latest/Install/NotableEventSuppression#Suppress_notable_even... with the names of the files you would need to edit. You might check there first.

Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎05-19-2022 11:43 AM

Why was this answer accepted?  It does not answer the question AT ALL!  See my answer which does.

Reply
Solved! Jump to solution

echojacques
Builder
‎08-28-2013 12:55 PM

Hi, I broke the GUI/webpage by blanking out the description and search fields in a suppression. If you do this, then you will get a webpage rendering error when trying to view the Notable Event Suppressions from within the GUI, I guess it doesn't know how to display a blank suppression.

I was able to find the .conf file and edit the file manually which fixed the GUI problem. This is the file that I was looking for (it's also referenced in the document you mentioned) that stores all of the event suppressions (that the GUI reads from):

etc/apps/SA-ThreatIntelligence/local/eventtypes.conf
0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...