Hello All, We have configured our monitoring tools to have Network and Application alert events to be sent as SNMP traps. Splunk monitors /var/log/snmp-traps.log file, parses data and indexes them, no problem there. All necessary fields for "Correlation Search" are present (severity, title, etc), "Notable Events" are created by the ad-hoc correlation searches, searches are run for 1 minute window, also there is no problem here. However breaking rules are not working as expected, for example there are multiple "Episodes" for same events are starting with exact same starting event, they may break prematurely and end up having more than one Episodes for the same starting event. We also observed that there are some Episodes getting just one event and never getting closed. We have experimented with almost every combination in "Aggregation Policies" What is going on here? Why does it get confused, I know that is hard to understand without looking actual settings and configuration but I did my best to understand documents and setting up the whole policy. Did anyone else here had this issue?
... View more
