×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
arthurdavid
New Member
Member since: ‎04-15-2026
‎04-15-2026
Community Statistics
Posts 1
Solutions 0
Karma Given 0
Karma Received 0
Member Since ‎04-15-2026
Topics I've Started
No posts to display.
View All

Re: Events ignored from episode after Bidirectiona...

by in Share a Tip
‎04-15-2026 05:13 AM
‎04-15-2026 05:13 AM
Hello, I eventually figured out why this was happening. The events that were being generated by the bidirectional ticketing correlation search were being populated with the "group_id" field. The rules engine would then add this event to the episode. My guess is that when the bidirectional event is "forced" into the episode because of the "group_id" field, the rules no longer work as expected. The bidirectional ticketing correlation search is based on a macro, so I am not sure if that is expected behavior. I can't imagine that it is expected behavior, as it completely messes up event ingestion. Who knows. Anyway, what I did to "fix" it was in the bidirectional ticketing correlation search, add the following line: | fields - group_id Once this line removes the group_id from the bidirectional event, the rules engine no longer adds bidirectional events to the episode, and normal entity degraded events continue to flow into the episode. Hopefully this helps, as it took me forever to figure this out. ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎04-15-2026 12:33 AM