Splunk Enterprise Security

How to duplicate Notables in ES Incident Review?


Hi All,

How can we stop duplicate notables which are getting generated in the Incident Review page for same event id in the Enterprise security . Do we need to adjust any settings ?

Time range 
Earliest = -70M
Latest = -10M

Cron schedule : every 35 Minutes

It's happening for all correlation searches .



Labels (1)
0 Karma
Get Updates on the Splunk Community!

Splunk Observability Cloud | Customer Survey!

If you use Splunk Observability Cloud, we invite you to share your valuable insights with us through a brief ...

Happy CX Day, Splunk Community!

Happy CX Day, Splunk Community! CX stands for Customer Experience, and today, October 3rd, is CX Day — a ...

.conf23 | Get Your Cybersecurity Defense Analyst Certification in Vegas

We’re excited to announce a new Splunk certification exam being released at .conf23! If you’re going to Las ...