Cloning a Correlation Search in Splunk Enterprise Security

Dennis Morton - February 2019

In Splunk Enterprise Security versions before 4.7, Correlation Searches were spread across two configuration files – correlationsearches.conf and savedsearches.conf. This meant that it was virtually impossible to clone one – you had to use the “two-tab” method to do so: open one tab with the search you want to clone and another with a new search and then copy/paste. Yuck.

However, since Enterprise Security version 4.7, everything was collapsed into savedsearches.conf! Yay – now we can clone. If you do clone a Correlation Search from Settings->Saved Searches you will notice odd behavior because there is one setting that is not editable (or even visible) in the Saved Searches GUI.

 Here's what you see after cloning:

Cloned Correlation Search

However, here is what Content Management shows - duplicates! 

Content Management

To successfully clone a Correlation Search you must do the following:

  1. Clone it via Settings->Saved Searches.
  2. Choose Edit->Advanced Edit for the new search and change the “action.correlationsearch.label” of the cloned search to something unique.
  3. Execute a debug/refresh.

After performing these steps, you would see something like this in Content Management:

Correctly Cloned Correlation Search