Splunk Enterprise Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How can I make an ES Incident Review copy of my Notables?

kanyewestnewmer
New Member
‎04-01-2023 01:09 AM

How can we halt duplicate notables from being created on the Enterprise security Incident Review page for the same event id? Do any parameters need to be changed?

Ranging from earliest to latest: -70M to -10M

every 35 minutes on a cron plan

All correlation inquiries experience it.

Labels (1)
Labels
Tags (1)
0 Karma
Reply

scelikok
SplunkTrust
SplunkTrust
‎04-03-2023 04:21 AM

Hi @kanyewestnewmer,

Since you are running the exact correlation twice in the same time range, it is normal having duplicate notables. You should use 60 minutes as a cron plan or throttling on the event_id field.

https://docs.splunk.com/Documentation/ES/7.1.0/Admin/Configurecorrelationsearches#Throttle_the_numbe...

If this reply helps you an upvote is appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Part 2: Diving Deeper With AIOps

Getting the Most Out of Event Correlation and Alert Storm Detection in Splunk IT Service Intelligence   Watch ...

User Groups | Upcoming Events!

If by chance you weren't already aware, the Splunk Community is host to numerous User Groups, organized ...

Splunk Lantern | Spotlight on Security: Adoption Motions, War Stories, and More

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...