Alerting
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Splunk ES - Notable Events

Sultan77
Loves-to-Learn Lots
‎04-08-2025 12:13 AM

Good day for everyone,

I've built multiple use-cases through correlation search.

The concern here , I am getting multiple alerts for same case.

how can I set it to give only one alert contain all data.

screenshot can explain more: 

123.PNG

Labels (3)
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎04-08-2025 12:30 AM

Hi @Sultan77 ,

this means that many Correlation Searches (or Detections from 8.X) triggered events.

It isn't a good idea grouping different Detections in one alert.

Anyway, the only solution is disable Notable (or Finding) creation and use only Risk Score, then use a Finding Based Detection to have only one Finding containing all the others.

In addition, you can group more Findings in one Investigation.

Ciao.

Giuseppe

0 Karma
Reply

Sultan77
Loves-to-Learn Lots
‎04-08-2025 12:34 AM

Dear @gcusello 

Can you explain how to group more than one finding in one investigation? 

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎04-08-2025 12:51 AM

Hi @Sultan77 ,

if you have ES 7.x, you have to flag all the events and add to the same investigation.

I haven't an ES 8.x to guide you  in this case.

Ciao.

Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

September Community Champions: A Shoutout to Our Contributors!

As we close the books on another fantastic month, we want to take a moment to celebrate the people who are the ...

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...