Splunk® Enterprise Security

Administer Splunk Enterprise Security

Suppress specific fields for detections in Splunk Enterprise Security

Suppress specific fields in a detection for a period of time to prevent undesired findings from being added to a specific investigation.

Follow these steps to suppress specific fields in a detection:

  1. In Splunk Enterprise Security, go to the Analyst queue.
  2. Select the investigation for which you want to suppress the detection.
  3. Go to the drop-down menu and select Suppress detection.

    Suppressing detections only prevents future findings with those specific fields from being added to the investigation.

  4. In the Suppress detection dialog box, add the suppression rule. For example, Suppression for user access from unknown location.
  5. Specify the time for which you want the suppress the fields in the detection. For example, 1 day, 1 week, custom.
  6. In the Advanced section of the Suppress detection dialog box. add a description of the suppression rule.
  7. Select the fields that you want to remove from the detection SPL. For example, event_hash, rule_name.
  8. Select Change fields if you want to change the fields that you want to remove from the detection.
  9. Go to the Search preview window to review the SPL search for the detection with the suppressed fields.
  10. Select Save.
Last modified on 08 August, 2024
Create multiple versions of a detection in Splunk Enterprise Security   Monitor your security operations center with findings in Splunk Enterprise Security

This documentation applies to the following versions of Splunk® Enterprise Security: 8.0.0


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters