Splunk Enterprise Security

How can I make an ES Incident Review copy of my Notables?

kanyewestnewmer
New Member

How can we halt duplicate notables from being created on the Enterprise security Incident Review page for the same event id? Do any parameters need to be changed?

Ranging from earliest to latest: -70M to -10M

every 35 minutes on a cron plan

All correlation inquiries experience it.

Labels (1)
Tags (1)
0 Karma

scelikok
SplunkTrust
SplunkTrust

Hi @kanyewestnewmer,

Since you are running the exact correlation twice in the same time range, it is normal having duplicate notables. You should use 60 minutes as a cron plan or throttling on the event_id field.

https://docs.splunk.com/Documentation/ES/7.1.0/Admin/Configurecorrelationsearches#Throttle_the_numbe...

If this reply helps you an upvote and "Accept as Solution" is appreciated.
0 Karma
Get Updates on the Splunk Community!

SplunkTrust Application Period is Officially OPEN!

It's that time, folks! The application/nomination period for the 2025 SplunkTrust is officially open! If you ...

Splunk Answers Content Calendar, June Edition II

Get ready to dive into Splunk Dashboard panels this week! We'll be tackling common questions around ...

Splunk Observability Cloud's AI Assistant in Action Series: Auditing Compliance and ...

This is the third post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...