[BUG] Same Doc Generates Duplicate Findings

[engechas]

What is the bug?
Sometimes a detector will generate identical findings for the same same doc. This typically occurs in a 2-3 minute span.

How can one reproduce the bug?
Steps to reproduce the behavior:
I'm not sure of concrete repro steps, but it seems to happen more frequently at higher load.

1. Create a detector
2. Ingest documents that generate findings
3. Verify duplicate findings are generated

What is the expected behavior?
A finding should only be generated once for a given doc

What is your host/environment?

• OS: [e.g. iOS]
• Version [e.g. 22]
• Plugins

Do you have any screenshots?
If applicable, add screenshots to help explain your problem.

Do you have any additional context?
Add any other context about the problem.

[engechas]

This should be resolved by the latest performance enhancements. Closing

[humster88]

@engechas
Hello.
I'm seeing this problem.
I tried versions 2.13.0, 2.14.0, 2.15.0, it appears everywhere.
I'm using docker-compose deployment.
There is one detector, with 3 rules and 3 alerts attached (each alert has its own rule selected in the trigger).
When any rule is triggered, one alert is generated, which is logical.
But besides this, 3 finding are generated, all of them belong to the same rule (which generated the trigger).
When viewing details, each finding refers to the same document from the index.
If i leave one alert in the detector, triggered by any rule, then when triggered everything is correct, one finding, one alert.
If i remove alerts from the detector altogether, then everything is fine with finding.

[daimoniac]

I can confirm this issue.

We have a detector that generates 3 findings per matching document. When removing all or all except one alert triggers, this is reduced to 1 finding.