Splunk ITSI

Multiple Remedy Tickets are getting generated for the Episode having multiple notables

psoni1
Observer

We are facing some issue while creating ticket,

For the first run of correlation, notable events are generating and grouping it into Episode, however, Its creating multiple(for each events in the episode) tickets for the episode at the first time, from the second run notables are getting duplicated into the episode, all the new notables are getting updated to the ticket which created with first alert in the episode in the first run of correlation search.

Please let us know if it’s known behavior, if yes what is the logic behind it? or any specific setting/fields needs to be modified while raising the tickets raising tickets ?

Labels (1)
Tags (3)
0 Karma

eduncan
Splunk Employee
Splunk Employee

Make sure that in the corr search you have the Notable Event Identifier fields set and not just leaving it at 'source'.  These fields are used to identify the NE as unique.  For instance you might want to use %host%%eventtype%%Message%.  This will let ITSI know that the NE is the exact same one as one already created and it will prevent duplicates.

When wanting to create a Remedy ticket you will want to make sure that in the Action tab of the Aggregation policy you choose something like When this event occurs:  Severity greater than or equal to Medium, and then the action will be to create an event.  Agg policies create 1 ticket per episode, not per NE.

0 Karma
Get Updates on the Splunk Community!

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

🍂 Fall into November with a fresh lineup of Community Office Hours, Tech Talks, and Webinars we’ve ...

Transform your security operations with Splunk Enterprise Security

Hi Splunk Community, Splunk Platform has set a great foundation for your security operations. With the ...

Splunk Admins and App Developers | Earn a $35 gift card!

Splunk, in collaboration with ESG (Enterprise Strategy Group) by TechTarget, is excited to announce a ...