i have the same issue generating alerts from AWS Cloudtrail events using the Splunk App. I check for alerts every 5 minutes, and the shortest length to look back is 15 minutes since any shorter would miss critical events. I have gotten it down to just 1 duplicate alert. Where would I put the code in my search query (sample below)?
aws-cloudtrail-sourcetype eventName=AuthorizeSecurityGroupEgress | dedup eventID | eval discovered_date=ceil(_time) * 1000 | fields eventID, eventTime, userIdentity.principalId, userIdentity.accessKeyId, discovered_date, eventSource, eventName, recipientAccountId, requestParameters.groupId
... View more