I have an issue where I am seeing am seeing duplicate notable events for a single event.
So heres the details:
-First off, this is not occurring for every notable, its random.
-cron schedule is every 20 minutes. With a time range of -60min
-There is only one trigger event, and only one event in the notable index.
-The duplicate and the original appear at the same time.
I've also had other issues where depending on what urgency I've filtered out, can impact the values of the other urgencies. For example I have 50 highs and 100 lows, I now filter out the lows and high drops to 25. I'm thinking this randomness may be related to my duplicate notable event issue.
ES version 5.2.0
Splunk Enterprise version 22.214.171.124
The below is from Ovie in the Splunk community Slack channel #enterprise-security: Not sure if it is your issue but it is supposed to be related to duplicates like that. So it might apply to some of you.
This can happen because of phased_execution_mode
2019-04-08 SOLNESS-18603 Incident Review: eventCount does not match resultCount causing display issues (such as events being displayed twice)
Set phased_execution_mode to singlethreaded
phased_execution_mode = singlethreaded
Splunk Enterprise Security 5.1 is compatible with Splunk Enterprise 7.1.0 and 7.1.1 only by setting phased_execution_mode=singlethreaded in the [search] stanza of the $SPLUNK_HOME/etc/system/local/limits.conf file to avoid an issue that is fixed in Splunk Enterprise 7.1.2. However, if you apply this workaround for 7.1.0 and 7.1.1 and then upgrade Splunk Enterprise but remain on ES 5.1, then you need to set it back to phased_execution_mode=multithreaded.
Splunk Enterprise Security 5.2.x is compatible with Splunk Enterprise 7.1.0 and 7.1.1 only by setting phased_execution_mode=singlethreaded in the [search] stanza of the $SPLUNK_HOME/etc/system/local/limits.conf file to avoid an issue that is fixed in Splunk Enterprise 7.1.2.
Bottom line is this setting has caused some serious grief.
I was told by Splunk support that i was hitting SPL-160881 which was been partially resolved in 7.1.2 and later as well as ES 5.2.1 or later. However, we upgraded our setup to 7.1.6 and ES to 5.2.2 post which the duplicate occurrences have been very rare.
As you know the issue is only with the backend code of incident review dashboard which displays duplicate notables, although they do not actually exist. Splunk support had made it clear even before we upgraded setup to 7.1.6 and ES to 5.2.2, that the issue was not completely fixed yet and may recur rarely.