In Splunk Enterprise Security versions before 4.7, Correlation Searches were spread across two configuration files – correlationsearches.conf and savedsearches.conf. This meant that it was virtually impossible to clone one – you had to use the “two-tab” method to do so: open one tab with the search you want to clone and another with a new search and then copy/paste. Yuck.

However, since Enterprise Security version 4.7, everything was collapsed into savedsearches.conf! Yay – now we can clone. If you do clone a Correlation Search from Settings->Saved Searches you will notice odd behavior because there is one setting that is not editable (or even visible) in the Saved Searches GUI.

 Here's what you see after cloning:

Cloned Correlation Search

However, here is what Content Management shows - duplicates! 

Content Management

To successfully clone a Correlation Search you must do the following:

  1. Clone it via Settings->Saved Searches.
  2. Choose Edit->Advanced Edit for the new search and change the “action.correlationsearch.label” of the cloned search to something unique.
  3. Execute a debug/refresh.

After performing these steps, you would see something like this in Content Management:

Correctly Cloned Correlation Search  

email

SUBSCRIBE TO EMAIL UPDATES

Most Popular

  • Jun 10, 2019 9:09:31 AM |
  • Joe Gervais

Let Arcus Data be your Cisco-Splunk Sherpa!

  • Mar 12, 2019 8:34:31 AM |
  • Admin

Why Attend Boss of the NOC?

  • Feb 25, 2019 1:01:47 PM |
  • Dennis Morton

Cloning a Correlation Search in Splunk Enterprise Security

email

SUBSCRIBE TO EMAIL UPDATES