Multiple Remedy Tickets are getting generated for ...

psoni1 · ‎07-07-2020

We are facing some issue while creating ticket,

For the first run of correlation, notable events are generating and grouping it into Episode, however, Its creating multiple(for each events in the episode) tickets for the episode at the first time, from the second run notables are getting duplicated into the episode, all the new notables are getting updated to the ticket which created with first alert in the episode in the first run of correlation search.

Please let us know if it’s known behavior, if yes what is the logic behind it? or any specific setting/fields needs to be modified while raising the tickets raising tickets ?

eduncan · ‎07-27-2020

Make sure that in the corr search you have the Notable Event Identifier fields set and not just leaving it at 'source'. These fields are used to identify the NE as unique. For instance you might want to use %host%%eventtype%%Message%. This will let ITSI know that the NE is the exact same one as one already created and it will prevent duplicates.

When wanting to create a Remedy ticket you will want to make sure that in the Action tab of the Aggregation policy you choose something like When this event occurs: Severity greater than or equal to Medium, and then the action will be to create an event. Agg policies create 1 ticket per episode, not per NE.

Multiple Remedy Tickets are getting generated for the Episode having multiple notables

using ITSI

Bridging the Gap: Splunk Helps Students Move from Classroom to Career

Preparing your Splunk Environment for OpenSSL3

Unleash Unified Security and Observability with Splunk Cloud Platform