Monitoring Splunk

Managing exceptions from within splunk

wsw70
Communicator

Hello,

I have a search which returns results, of which some are "false positives" which should not appear in the results. They need to be handled manually (in the sense that they would appear once, someone would check something and then come back with the confirmation that e.g. a given machine is OK, even though it appeared in the search).

I am wondering which way would be easiest for users to maintain such a list of false positives.

  • ideally I would like them to do this without quitting splunk
  • I was thinking about a plain text file with the names of the machines which would be looked up. If it can be accessed via splunk that could be OK, otherwise it gets tough (they would need to have ssh access to the server yada yada yada)
  • or maybe something else?

This solution need to be persistent in the sense that new data will be fed into splunk, containing these false positives, which should not reappear (what I mean is that they cannot be simply deleted, or otherwise hidden on a per-event basis).

Thanks for any ideas!

Tags (2)

woodcock
Esteemed Legend

This is very easy to do with a lookup file and a subsearch like this:

mySearch NOT [|inputlookup myLookupFile]

You then modify your lookup file as you get new false positives. You need to make sure that you name the columns the same as the fields in your data.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...