Hello,
I have a search which returns results, of which some are "false positives" which should not appear in the results. They need to be handled manually (in the sense that they would appear once, someone would check something and then come back with the confirmation that e.g. a given machine is OK, even though it appeared in the search).
I am wondering which way would be easiest for users to maintain such a list of false positives.
This solution need to be persistent in the sense that new data will be fed into splunk, containing these false positives, which should not reappear (what I mean is that they cannot be simply deleted, or otherwise hidden on a per-event basis).
Thanks for any ideas!
This is very easy to do with a lookup
file and a subsearch
like this:
mySearch NOT [|inputlookup myLookupFile]
You then modify your lookup file as you get new false positives. You need to make sure that you name the columns the same as the fields in your data.