I am trying to suppress an event "Account Deleted" and receiving the error "The provided search is not valid" when trying to save the suppression. This search works in a normal search window.
index=notable source="Access - Account Deleted - Rule" _time>=1445961951 src_user="svc-udaadm" | regex user="\d{9}"
In another suppression I get the same error with this search, once again works in a normal search window.
index=notable source="Threat - Threat List Activity - Rule" threat_match_field="dest" threat_group=iblocklist_logmein _time>=1445984423 [| inputlookup whitelisted_logmein.csv | rename whitelisted_logmein as src | fields + src]
Splunk 6.3.0 with ES 3.3.1
↧