Hi all, I have Splunk ES, with a bunch of rules. The issue is that correlation rules generate notables for each result, which sometimes cause to a flood of notable alerts. In cases when a new wide and legitimate activity is detected (and wasn't excluded yet from the rule), tons of alerts are being created. I look for a way to limit the number of notables alerts that each rule can generate, but to do it general, for all the rules, without manually modifying each rule. Is this possible? Example: Name of rule: Test rule Number of results: 500 Notable alerts: 20 Thanks
... View more