Within splunk cloud, I suspect we are whitelisting a list of approved snmp servers. I need to "whitelist" a new snmp server so it doesn't generate alerts. What would this list be called? Datasets? Where would I find this list so I can add another entry to it?
The whitelist is probably in a lookup file, but could be within the alert itself. Find out by examining the query within the alert.
If you see lookup
or inputlookup
then the whitelist likely is in the lookup file referenced by that command.
It's also possible the whitelist is hardcoded in the query using NOT
. In that case, you can add the new server to that list or re-write the query to use a lookup file.