Splunk Enterprise Security

How can I make an ES Incident Review copy of my Notables?

kanyewestnewmer
New Member

How can we halt duplicate notables from being created on the Enterprise security Incident Review page for the same event id? Do any parameters need to be changed?

Ranging from earliest to latest: -70M to -10M

every 35 minutes on a cron plan

All correlation inquiries experience it.

Labels (1)
Tags (1)
0 Karma

scelikok
SplunkTrust
SplunkTrust

Hi @kanyewestnewmer,

Since you are running the exact correlation twice in the same time range, it is normal having duplicate notables. You should use 60 minutes as a cron plan or throttling on the event_id field.

https://docs.splunk.com/Documentation/ES/7.1.0/Admin/Configurecorrelationsearches#Throttle_the_numbe...

If this reply helps you an upvote is appreciated.
0 Karma
Get Updates on the Splunk Community!

Part 2: Diving Deeper With AIOps

Getting the Most Out of Event Correlation and Alert Storm Detection in Splunk IT Service Intelligence   Watch ...

User Groups | Upcoming Events!

If by chance you weren't already aware, the Splunk Community is host to numerous User Groups, organized ...

Splunk Lantern | Spotlight on Security: Adoption Motions, War Stories, and More

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...