Splunk IT Service Intelligence

how to remove duplicate alerts from episode review.

Hemant1
Explorer

we are getting duplicate alerts in episode review .
need to know what required change needs to be done and where so we will not see duplicate alerts.
please help here .

Thanks in advance.

Tags (2)
0 Karma

szhou_splunk
Splunk Employee
Splunk Employee

Hi, @Hemant1 ,
Did you see the issue consistently or very often? If yes, it may related to phased_execution_mode which causes multiple instance of rules engine running that generate multiple episodes and grouped events. You can try to set the following properties in etc/system/local/limits.conf:
[search]
phased_execution_mode = auto
And restart the itsi_event_grouping savedsearch.
If it still doesn't work, please check what is the version of ITSI and Splunk Enterprise, and check how many rules engine processes running on SHs.

Hemant1
Explorer

@szhou_splunk we have performed the same suggested by you,but unfortunately it didnt work .
please help here .

0 Karma
Get Updates on the Splunk Community!

Routing Data to Different Splunk Indexes in the OpenTelemetry Collector

This blog post is part of an ongoing series on OpenTelemetry. The OpenTelemetry project is the second largest ...

Getting Started with AIOps: Event Correlation Basics and Alert Storm Detection in ...

Getting Started with AIOps:Event Correlation Basics and Alert Storm Detection in Splunk IT Service ...

Register to Attend BSides SPL 2022 - It's all Happening October 18!

Join like-minded individuals for technical sessions on everything Splunk!  This is a community-led and run ...