Multiple event_id is created in itsi_tracked_alerts from correlation searches

bpratap — Wed, 30 Sep 2020 00:40:49 GMT

Need help in understanding Notable event, I am using correlation search to create Notable event, where my search has “time_range and schedule as 5min” which return single result(ie single event)

However I am able to see 2 event_id within itsi_tracked_alerts index for same search thus resulting into Notable event count 2 in Episode review in ITSI.

index=itsi_tracked_alerts sourcetype="itsi_notable:event" project=”abc” :- 2 event with 2 different event_id.

Correlation serach:---- generates only 1 event.

I am not sure why 2 event are created in “itsi_tracked_alerts” for project “abc”. Where according to correlation serach it should only generate 1 event id.

Please help

Re: Multiple event_id is created in itsi_tracked_alerts from correlation searches

yannK — Thu, 24 Oct 2019 23:00:40 GMT

Is your search returning more than 1 event when it runs ?
If it does, maybe massage your events, like using a "|dedup " or "| head 1" to trim them before the notables are created.
If your events results are unique but get indexed twice
check the _indextime of the notable events, to figure when they were created.
Check if you have a useack=true enable in the outputs.conf of your search-head (it can cause the forwarder to attempt to send the same events multiple time in case of network failure)
check if you are not cloning your data to 2 sets of indexers

topic Re: Multiple event_id is created in itsi_tracked_alerts from correlation searches in Splunk ITSI

Multiple event_id is created in itsi_tracked_alerts from correlation searches

Re: Multiple event_id is created in itsi_tracked_alerts from correlation searches