First of all, thanks for the help.
I do not have much experience with Splunk.
I'm compiling security events, but I want to set up a high-level whitelist to include, for example, Microsoft's ip and other products that I consider legitimate. But I do not want them to appear in the queries and alerts.
Is there any elegant way to define a whitelist at a high level for all Splunk to omit data from this whitelist?
Would there be any way to do the opposite? For example, define a blacklist? Right now I do it for specific queries, for example consulting a CSV. But I mean something more global, for all the queries.
Thanks for the help.