topic ES (Enterprise Security) | Correlation Searches | Cannot Remove in Security

ES (Enterprise Security) | Correlation Searches | Cannot Remove

aportela_work — Thu, 19 Sep 2013 16:55:42 GMT

Hi - Am having problems removing a "correlation search". Have tried this via the SE UI from inside the editor and within the "correlation searches" list/page. Can't find a delete or remove button or anything else. Am on Splunk 5.02 with ES 2.4 app. Any ideas?

Thanks... Al

Re: ES (Enterprise Security) | Correlation Searches | Cannot Remove

LukeMurphey — Thu, 19 Sep 2013 20:03:32 GMT

Unfortunately, deletion of correlation searches is not supported from the UI yet.

If the correlation search is one that is shipped with ES, then I don't recommend attempting to remove it. Instead, just disable it.

If the correlation search is a custom one, then the way to delete one is to find the instance in savedsearches.conf (should be under a local directory) and remove it manually. Restart Splunk after you prune the entry from the conf file.

Re: ES (Enterprise Security) | Correlation Searches | Cannot Remove

aportela_work — Thu, 19 Sep 2013 23:25:44 GMT

hey, we found the solution, and below explains the process:
.
If the Correlated Search was called "Non-standard Access Detect" ...
and was created/configured with the "Access" domain assigned ...
the search will part of the SA-AccessProtection app ...

... So, will want to look for a search title that appends the domain and search names.
That is where we found a place to delete the specific Correlated Search.

Hurrah 🙂

Re: ES (Enterprise Security) | Correlation Searches | Cannot Remove

aportela_work — Thu, 19 Sep 2013 23:26:05 GMT

Thanks for looking into this.

Re: ES (Enterprise Security) | Correlation Searches | Cannot Remove

aportela_work — Thu, 19 Sep 2013 23:29:18 GMT

Forget to elaborate:
Can find/delete this Correlated Search like any regular search; from the "Searches and Reports" page of the Manager UI.

Re: ES (Enterprise Security) | Correlation Searches | Cannot Remove

kausar — Tue, 27 Sep 2016 23:52:39 GMT

You can do something like:

index=notable | head 10 | delete

Re: ES (Enterprise Security) | Correlation Searches | Cannot Remove

clynch4283 — Tue, 10 Jan 2017 15:15:59 GMT

There is no way to delete a correlation searches if you are on a single instance stopping splunk then removing the files from disk is going to be your best bet; how ever if you are using search head clustering or splunk cloud you can use the REST API to delete the object. This is not a supported method but it will act as a heavy handed approach.

In my case I had users delete the saved searches out from under ES so I am only going to show the removal of the correlation search config object.

First you need to URL encode the stanza you want to target.

Stanza in the file

[Network - AWS CloudTrail Logging - Rule]

Url encoded version

Network%20-%20AWS%20CloudTrail%20Logging%20-%20Rule

From the REST API docs we want to view the object first

https://<host>:<mPort>/services/configs/conf-correlationsearches/{stanza}

For my example the curl call would be

curl -k -u admin:changeme https://localhost:8089/services/configs/conf-correlationsearches/Network%20-%20AWS%20CloudTrail%20Logging%20-%20Rule

This should return the XML for the object if you see "In handler 'conf-correlationsearches': Could not find object id=" STOP and check your URL encoding for your object.

If you see your object there then you only need to make a delete request for my example that would be.

curl -k -u admin:changeme --request DELETE https://localhost:8089/services/configs/conf-correlationsearches/Network%20-%20AWS%20CloudTrail%20Logging%20-%20Rule

Then run your first call to the conf-correlationsearches endpoint again and you should see something like

<?xml version="1.0" encoding="UTF-8"?>
<response>
  <messages>
    <msg type="ERROR">
 In handler 'conf-correlationsearches': Could not find object id=Network - AWS CloudTrail Logging - Rule</msg>
  </messages>
</response>

That should be it; a restart of splunk is recommended but you can do a debug/refresh.