Splunk® Enterprise Security

Administer Splunk Enterprise Security

The documentation for Splunk Enterprise Security versions 8.0 and higher have been rearchitected from previous versions, causing some links to have redirect errors. To resolve redirect errors, you must use the version selector on the ES documentation homepage to navigate between the versions.

Suppress specific detections or fields in Splunk Enterprise Security

Suppress specific detections or fields in detections

Suppress specific detections or fields in a detection for a period of time to prevent undesired findings from being added to a specific investigation.

Follow these steps to suppress a detection or specific fields in a detection:

  1. In Splunk Enterprise Security, go to the Analyst queue.
  2. Select the investigation for which you want to suppress the detection.
  3. Go to the drop-down menu and select Suppress detection.

    Suppressing detections only prevents future findings with those specific fields from being added to the investigation.

  4. In the Suppress detection dialog box, add the suppression rule. For example, Suppression for user access from unknown location.
  5. Specify the time for which you want the suppress the fields in the detection. For example, 1 day, 1 week, custom.
  6. In the Advanced section of the Suppress detection dialog box. add a description of the suppression rule.
  7. Select the fields that you want to remove from the detection SPL. For example, event_hash, rule_name.
  8. Select Change fields if you want to change the fields that you want to remove from the detection.
  9. Go to the Search preview window to review the SPL search for the detection with the suppressed fields.
  10. Select Save.

Suppress and modify specific fields within finding-based detections

Use throttling to suppress specific fields in finding-based detections to avoid creating the same finding groups and flooding the notable index. If you do not suppress specific fields, finding groups might move to the top of the Analyst Queue even when no new findings or intermediate findings are added to the finding group. You can view, delete, add, or modify the pre-populated suppressed fields in the finding-based detection editor.

Follow these steps to suppress and modify specific fields within finding-based detections:

  1. In Splunk Enterprise Security, select Configure.
  2. Select Content, and then select Content management.
  3. Select the title of the finding-based detection that you want to edit and open it in the detection editor.
  4. In the Edit finding-based detection, go to the section on Throttling.
  5. In the Fields to group by add or remove the specific fields that you want to use when matching similar events. If an event matches all the fields listed here, the detection does not create a new alert. You can define multiple fields. Available fields depend on the search fields that the detection returns.
  6. Save the detection.

    7. If you specify a field name in the '''Fields to group by''' that doesn't exist in the search results, Splunk Enterprise Security throttles all the results because the field is identical and null for all the results.

Last modified on 07 May, 2025
Create multiple versions of a detection in Splunk Enterprise Security   Monitor your security operations center with findings in Splunk Enterprise Security

This documentation applies to the following versions of Splunk® Enterprise Security: 8.1.0

Acrobat logo Download manual
Acrobat logo Download this page

Please expect delayed responses to documentation feedback while the team migrates content to a new system. We value your input and thank you for your patience as we work to provide you with an improved content experience!

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters