- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
how to remove duplicate alerts from episode review.
we are getting duplicate alerts in episode review .
need to know what required change needs to be done and where so we will not see duplicate alerts.
please help here .
Thanks in advance.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi, @Hemant1 ,
Did you see the issue consistently or very often? If yes, it may related to phased_execution_mode which causes multiple instance of rules engine running that generate multiple episodes and grouped events. You can try to set the following properties in etc/system/local/limits.conf:
[search]
phased_execution_mode = auto
And restart the itsi_event_grouping savedsearch.
If it still doesn't work, please check what is the version of ITSI and Splunk Enterprise, and check how many rules engine processes running on SHs.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@szhou_splunk we have performed the same suggested by you,but unfortunately it didnt work .
please help here .