From 9ab39216df6ed3d0670bf42792e02e30b82a8d5e Mon Sep 17 00:00:00 2001
From: Joey Caparas <macapara@microsoft.com>
Date: Tue, 15 May 2018 10:35:22 -0700
Subject: [PATCH] add dedupe note/tip

---
 ...gure-splunk-windows-defender-advanced-threat-protection.md | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/windows/security/threat-protection/windows-defender-atp/configure-splunk-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/configure-splunk-windows-defender-advanced-threat-protection.md
index be0b750935..6be4590640 100644
--- a/windows/security/threat-protection/windows-defender-atp/configure-splunk-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/configure-splunk-windows-defender-advanced-threat-protection.md
@@ -139,6 +139,10 @@ Use the solution explorer to view alerts in Splunk.
 5. Find the query you saved in the list and click **Run**. The results are displayed based on your query.
 
 
+>[!TIP]
+> To mininimize alert duplications, you can use the following query:
+>```source="rest://windows atp alerts" | spath | dedup _raw | table *``` 
+
 ## Related topics
 - [Enable SIEM integration in Windows Defender ATP](enable-siem-integration-windows-defender-advanced-threat-protection.md)
 - [Configure ArcSight to pull Windows Defender ATP alerts](configure-arcsight-windows-defender-advanced-threat-protection.md)