Advance Threat Protection (ATP) sends duplicate events to Splunk server.

book

Article ID: 170841

calendar_today

Updated On:

Products

Advanced Threat Protection Platform

Issue/Introduction

The Splunk server is seeing duplicate events from the ATP appliance.

Cause

“Duplicate events can be sent to your Splunk database in some cases when an error is returned to the Splunk connector.  This problem has been resolved in ATP v3.0.5”

Resolution

This issue has been fixed in the ATP 3.0.5 build.  Please upgrade to this build when possible.  If you are not able to upgrade right away there is a patch for ATP 2.3.0 and ATP 3.0.0, please open a Support case and ask to have the patch installed for ATP 2.3.0 or ATP 3.0.0 build.