Splunk Enterprise Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Where are Noteable Event Suppressions stored in Splunk?

echojacques
Builder
‎08-28-2013 10:51 AM

In Enterprise Security, you can configure Notable Event Suppressions. When adding/editing a suppression, which file exactly is getting updated within Splunk? I've been looking in /etc/apps/SplunkEnterpriseSecuritySuite but I haven't found the file there (yet).

The reason I ask is because I edited a suppression and now the 'notable event suppression' GUI doesn't work and I need to manually fix the suppression by modifying it in the file system.

Thanks

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

jmckean_splunk
Splunk Employee
Splunk Employee
‎08-28-2013 12:41 PM

Hi. Do you mean the GUI doesn't display at all? This section in the ES docs describes how to create a new suppression: http://docs.splunk.com/Documentation/ES/latest/Install/NotableEventSuppression#Suppress_notable_even... with the names of the files you would need to edit. You might check there first.

View solution in original post

Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎05-19-2022 11:44 AM

They are stored as `eventtypes`.  Search for "notable_suppression".

Reply
Solved! Jump to solution

morethanyell
Builder
‎09-25-2019 03:47 PM

Feels like this question remains unanswered.

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎08-19-2023 07:16 AM

See my answer.  The accepted answer is useless.

0 Karma
Reply
Solved! Jump to solution
Solution

jmckean_splunk
Splunk Employee
Splunk Employee
‎08-28-2013 12:41 PM

Hi. Do you mean the GUI doesn't display at all? This section in the ES docs describes how to create a new suppression: http://docs.splunk.com/Documentation/ES/latest/Install/NotableEventSuppression#Suppress_notable_even... with the names of the files you would need to edit. You might check there first.

Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎05-19-2022 11:43 AM

Why was this answer accepted?  It does not answer the question AT ALL!  See my answer which does.

Reply
Solved! Jump to solution

echojacques
Builder
‎08-28-2013 12:55 PM

Hi, I broke the GUI/webpage by blanking out the description and search fields in a suppression. If you do this, then you will get a webpage rendering error when trying to view the Notable Event Suppressions from within the GUI, I guess it doesn't know how to display a blank suppression.

I was able to find the .conf file and edit the file manually which fixed the GUI problem. This is the file that I was looking for (it's also referenced in the document you mentioned) that stores all of the event suppressions (that the GUI reads from):

etc/apps/SA-ThreatIntelligence/local/eventtypes.conf
0 Karma
Reply
Get Updates on the Splunk Community!

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...