Splunk IT Service Intelligence
Highlighted

Multiple event_id is created in itsi_tracked_alerts from correlation searches

Explorer

Need help in understanding Notable event, I am using correlation search to create Notable event, where my search has “time_range and schedule as 5min” which return single result(ie single event)

However I am able to see 2 eventid within itsitracked_alerts index for same search thus resulting into Notable event count 2 in Episode review in ITSI.

index=itsitrackedalerts sourcetype="itsinotable:event" project=”abc” :- 2 event with 2 different eventid.

Correlation serach:---- generates only 1 event.

I am not sure why 2 event are created in “itsitrackedalerts” for project “abc”. Where according to correlation serach it should only generate 1 event id.

Please help

0 Karma
Highlighted

Re: Multiple event_id is created in itsi_tracked_alerts from correlation searches

Splunk Employee
Splunk Employee
  • Is your search returning more than 1 event when it runs ?
    If it does, maybe massage your events, like using a "|dedup " or "| head 1" to trim them before the notables are created.

  • If your events results are unique but get indexed twice
    check the _indextime of the notable events, to figure when they were created.
    Check if you have a useack=true enable in the outputs.conf of your search-head (it can cause the forwarder to attempt to send the same events multiple time in case of network failure)
    check if you are not cloning your data to 2 sets of indexers

0 Karma