Cloning a Correlation Search in Splunk ...

In Splunk Enterprise Security versions before 4.7, Correlation Searches were spread across two configuration files – correlationsearches.conf and savedsearches.conf. This meant that it was virtually impossible to clone one – you had to use the “two-tab” method to do so: open one tab with the search you want to clone and another with a new search and then copy/paste. Yuck.

However, since Enterprise Security version 4.7, everything was collapsed into savedsearches.conf! Yay – now we can clone. If you do clone a Correlation Search from Settings->Saved Searches you will notice odd behavior because there is one setting that is not editable (or even visible) in the Saved Searches GUI.

  • Feb 25, 2019 1:01:47 PM |
  • Dennis Morton

Introducing the Enterprise Security ...

If you administer Splunk Enterprise Security then you have probably noticed a couple of issues about managing content:

  • ES’s Content Manager isn’t very zippy.
  • Getting an overview of your ES Content is difficult.

I wrote the ES Configuration Explorer App to solve these issues for my own use, as someone who delivers Enterprise Security Professional Services, so I thought I’d share it with everyone!

  • Feb 18, 2019 12:10:01 PM |
  • Dennis Morton
email

SUBSCRIBE TO EMAIL UPDATES

Most Popular

  • Jun 10, 2019 9:09:31 AM |
  • Joe Gervais

Let Arcus Data be your Cisco-Splunk Sherpa!

  • Mar 12, 2019 8:34:31 AM |
  • Admin

Why Attend Boss of the NOC?

  • Feb 25, 2019 1:01:47 PM |
  • Dennis Morton

Cloning a Correlation Search in Splunk Enterprise Security

email

SUBSCRIBE TO EMAIL UPDATES

Recommended for you