Need help in understanding Notable event, I am using correlation search to create Notable event, where my search has “time_range and schedule as 5min” which return single result(ie single event)
However I am able to see 2 event_id within itsi_tracked_alerts index for same search thus resulting into Notable event count 2 in Episode review in ITSI.
index=itsi_tracked_alerts sourcetype="itsi_notable:event" project=”abc” :- 2 event with 2 different event_id.
Correlation serach:---- generates only 1 event.
I am not sure why 2 event are created in “itsi_tracked_alerts” for project “abc”. Where according to correlation serach it should only generate 1 event id.
Please help
Is your search returning more than 1 event when it runs ?
If it does, maybe massage your events, like using a "|dedup " or "| head 1" to trim them before the notables are created.
If your events results are unique but get indexed twice
check the _indextime of the notable events, to figure when they were created.
Check if you have a useack=true enable in the outputs.conf of your search-head (it can cause the forwarder to attempt to send the same events multiple time in case of network failure)
check if you are not cloning your data to 2 sets of indexers