Splunk Enterprise Security

Splunk ES Duplicate of Notable Events displaying in Incident Review Dashboard

Path Finder

Hi Everyone,

I have an issue where I am seeing am seeing duplicate notable events for a single event.
So heres the details:
-First off, this is not occurring for every notable, its random.
-cron schedule is every 20 minutes. With a time range of -60min
-There is only one trigger event, and only one event in the notable index.
-The duplicate and the original appear at the same time.

I've also had other issues where depending on what urgency I've filtered out, can impact the values of the other urgencies. For example I have 50 highs and 100 lows, I now filter out the lows and high drops to 25. I'm thinking this randomness may be related to my duplicate notable event issue.

ES version 5.2.0
Splunk Enterprise version


The below is from Ovie in the Splunk community Slack channel #enterprise-security: Not sure if it is your issue but it is supposed to be related to duplicates like that. So it might apply to some of you.

This can happen because of phased_execution_mode

2019-04-08 SOLNESS-18603 Incident Review: eventCount does not match resultCount causing display issues (such as events being displayed twice)

Set phased_execution_mode to singlethreaded

For: limits.conf

phased_execution_mode = singlethreaded


Splunk Enterprise Security 5.1 is compatible with Splunk Enterprise 7.1.0 and 7.1.1 only by setting phased_execution_mode=singlethreaded in the [search] stanza of the $SPLUNK_HOME/etc/system/local/limits.conf file to avoid an issue that is fixed in Splunk Enterprise 7.1.2. However, if you apply this workaround for 7.1.0 and 7.1.1 and then upgrade Splunk Enterprise but remain on ES 5.1, then you need to set it back to phased_execution_mode=multithreaded.

Splunk Enterprise Security 5.2.x is compatible with Splunk Enterprise 7.1.0 and 7.1.1 only by setting phased_execution_mode=singlethreaded in the [search] stanza of the $SPLUNK_HOME/etc/system/local/limits.conf file to avoid an issue that is fixed in Splunk Enterprise 7.1.2.

Bottom line is this setting has caused some serious grief.

Loves-to-Learn Lots

Any resolution yet ? We are running into same issue. (Splunk 7.1.2, ES 5.1.0)

0 Karma

New Member

We did not had this problem for a while, but now it came back. I will open a case and see what the splunks say about it.

0 Karma


Same issue here. Just upgraded the ES Search head cluster to However, the ES App version is 5.1.1and indexers are running with a lower version.

0 Karma

New Member

Same here with 7.2.1 and ES 5.2.0. Anyone fould a solution yet?

0 Karma


I was told by Splunk support that i was hitting SPL-160881 which was been partially resolved in 7.1.2 and later as well as ES 5.2.1 or later. However, we upgraded our setup to 7.1.6 and ES to 5.2.2 post which the duplicate occurrences have been very rare.
As you know the issue is only with the backend code of incident review dashboard which displays duplicate notables, although they do not actually exist. Splunk support had made it clear even before we upgraded setup to 7.1.6 and ES to 5.2.2, that the issue was not completely fixed yet and may recur rarely.

0 Karma

New Member

Thanks shrutheen! I will try ES 5.2.2 and see if that helps!
Cheers, Thomas

0 Karma
Get Updates on the Splunk Community!

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

March Community Office Hours Security Series Uncovered!

Hello Splunk Community! In March, Splunk Community Office Hours spotlighted our fabulous Splunk Threat ...

Stay Connected: Your Guide to April Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars in April. This post ...