Splunk ES - Notable Events

Sultan77 · ‎04-08-2025

Good day for everyone,

I've built multiple use-cases through correlation search.

The concern here , I am getting multiple alerts for same case.

how can I set it to give only one alert contain all data.

screenshot can explain more:

gcusello · ‎04-08-2025

Hi @Sultan77 ,

this means that many Correlation Searches (or Detections from 8.X) triggered events.

It isn't a good idea grouping different Detections in one alert.

Anyway, the only solution is disable Notable (or Finding) creation and use only Risk Score, then use a Finding Based Detection to have only one Finding containing all the others.

In addition, you can group more Findings in one Investigation.

Ciao.

Giuseppe

Sultan77 · ‎04-08-2025

Dear @gcusello

Can you explain how to group more than one finding in one investigation?

gcusello · ‎04-08-2025

Hi @Sultan77 ,

if you have ES 7.x, you have to flag all the events and add to the same investigation.

I haven't an ES 8.x to guide you in this case.

Ciao.

Giuseppe

Splunk ES - Notable Events

alert action

alert condition

throttling

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Detection Engineering Office Hours: Real-World Troubleshooting & Q&A

Developer Spotlight with Mika Borner

Continue Your Federation Journey: Join Session 3 of the Bootcamp Series

Join the Conversation

Splunk ES - Notable Events

alert action

alert condition

throttling

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Detection Engineering Office Hours: Real-World Troubleshooting & Q&A

Developer Spotlight with Mika Borner

Continue Your Federation Journey: Join Session 3 of the Bootcamp Series