Hi all,
Using real-time output app, I want to send newly updated events to 3rd party system. But when I tested this app, many duplicated events were sent again and again. It works exactly same way with all-time windowed realtime searches and if an events is shown, it will not disappear until the number of result count hit the maximum count(100000).

Can I send only new events without duplications in realtime using this app? How can I config?

Thank you in advance.

This is an old question but i've found the same thing when I have a syslog/kv target (havn't noticed it with cef output).

Each search slowly grows its time window until it exceeds the maxresultrows items limit.

I havn't figured out the root cause.

edit: root cause found. There was a table command in the search. You only need a fields at the end. Don't use a table and duplicates go away.

edit2: Ok it fixed it for that rule but all other rules are duplicating aswell. Around 50 times as many events compare to the base search.

