In Splunk Enterprise Security versions before 4.7, Correlation Searches were spread across two configuration files – correlationsearches.conf and savedsearches.conf. This meant that it was virtually impossible to clone one – you had to use the “two-tab” method to do so: open one tab with the search you want to clone and another with a new search and then copy/paste. Yuck.
However, since Enterprise Security version 4.7, everything was collapsed into savedsearches.conf! Yay – now we can clone. If you do clone a Correlation Search from Settings->Saved Searches you will notice odd behavior because there is one setting that is not editable (or even visible) in the Saved Searches GUI.
Here's what you see after cloning:
However, here is what Content Management shows - duplicates!
To successfully clone a Correlation Search you must do the following:
- Clone it via Settings->Saved Searches.
- Choose Edit->Advanced Edit for the new search and change the “action.correlationsearch.label” of the cloned search to something unique.
- Execute a debug/refresh.
After performing these steps, you would see something like this in Content Management: