Splunk Enterprise Security
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Splunk Enterprise Security: Is there a workaround for duplicate events being reported by ES Search Head?

mipeters_splunk
Splunk Employee
Splunk Employee
‎05-25-2017 12:07 PM

We have Splunk Enterprise Security (ES) Search Head (SH) which is reporting duplicate events even though those events are only on our Indexer (IDX) cluster once.

We think that the issue is due to a mismatch of Splunk versions. ie the ES SH is on 6.4 and the IDX cluster is on 6.2.

When we run the identical search from our other SH clusters the results are fine, obviously the other SH clusters are on the same version of Splunk as our IDX cluster.

We will be upgrading the IDX cluster in due course, but would like to know:

is there a temporary workaround that could fix this without having to downgrade our ES SH ?

Our SOC already divide any statistical search results by two... not a great work around.

A google of answers or docs did not come up with anything useful.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

mipeters_splunk
Splunk Employee
Splunk Employee
‎06-02-2017 09:45 AM

The answer in the end is to upgrade.

With the version mismatch between the SH and the IDXc makes the SH return duplicate events.

We were not able to find a work around.

An upgrade from 6.2 on the IDXc to 6.5.x and the ES SH to 6.5 fixed the issue.

View solution in original post

Reply
Solved! Jump to solution
Solution

mipeters_splunk
Splunk Employee
Splunk Employee
‎06-02-2017 09:45 AM

The answer in the end is to upgrade.

With the version mismatch between the SH and the IDXc makes the SH return duplicate events.

We were not able to find a work around.

An upgrade from 6.2 on the IDXc to 6.5.x and the ES SH to 6.5 fixed the issue.

Reply
Solved! Jump to solution

mipeters_splunk
Splunk Employee
Splunk Employee
‎05-25-2017 03:33 PM

@adonio the ES search head is stand alone. We have three other Search heads these are not experiencing the issue. Hope that explains the architecture a little better.

Also unfortunately we have all notables turned off at the moment as we use ES in a "special way".

0 Karma
Reply
Solved! Jump to solution

adonio
Ultra Champion
‎05-26-2017 04:58 AM

when you say "duplicate events" what exactly do you mean? seams like you checked _raw and there are not duplicate events on the indexer tier which leads me to think that you mean "alerts" or "correlated searches results" (no notables as you mentioned in comment). can you share a search and a duplicate event?

0 Karma
Reply
Solved! Jump to solution

adonio
Ultra Champion
‎05-25-2017 12:35 PM

you mentioned SH clusters, do you have couple of clusters or 1 SH cluster?
maybe you have multiple results cause the SH aren't in sync and the search is executed twice?
can you elaborate on the architecture a little bit?
can you search the notable index and see how many results are for any correlation search?
hope it helps

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

Hello Splunkers,  We’re excited to kick off a Splunk Dashboard contest! We know that dashboards are a primary ...

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...