https://community.splunk.com/t5/Splunk-Cloud-Platform/Is-it-possible-to-create-correlation-search-using-REST-API/m-p/579744#M1242 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/241794">@vinith97</a>&nbsp;</P><P>Yes, but I don't believe it's documented.</P><P>Correlation searches are saved searches similar to alerts with the correlationsearch action and various related actions: notable, risk, etc. The actions and their properties are defined in $SPLUNK_HOME/etc/apps/SA-ThreatIntelligence/default/alert_actions.conf.</P><P>There are various examples of correlation searches in savedsearches.conf in each of the app modules included with Splunk ES.</P><P>To reverse engineer the process, you can create a correlation search in the user interface and check savedsearches.conf to see which settings are applied. You can then duplicate the process using the saved/searches API endpoint (see <A href="https://docs.splunk.com/Documentation/Splunk/latest/RESTREF/RESTsearch#saved.2Fsearches" target="_self">https://docs.splunk.com/Documentation/Splunk/latest/RESTREF/RESTsearch#saved.2Fsearches</A>&nbsp;) and its action parameter. After the search is saved, you can modify action parameters with the saved/searches/{name} endpoint (see <A href="https://docs.splunk.com/Documentation/Splunk/latest/RESTREF/RESTsearch#saved.2Fsearches.2F.7Bname.7D" target="_self">https://docs.splunk.com/Documentation/Splunk/latest/RESTREF/RESTsearch#saved.2Fsearches.2F.7Bname.7D</A>&nbsp;).</P><P>If you don't have access to configuration files, you may need to test on a private instance. I don't use Splunk Cloud, and you may need to contact Splunk support to confirm your solution is supported.</P> Sun, 02 Jan 2022 22:27:33 GMT tscroggins 2022-01-02T22:27:33Z https://community.splunk.com/t5/Splunk-Cloud-Platform/Is-it-possible-to-create-correlation-search-using-REST-API/m-p/579438#M1239 <P>Hello, Is it possible to create correlation search in splunk ES app using REST API?</P> Wed, 29 Jun 2022 23:15:09 GMT https://community.splunk.com/t5/Splunk-Cloud-Platform/Is-it-possible-to-create-correlation-search-using-REST-API/m-p/579438#M1239 vinith97 2022-06-29T23:15:09Z https://community.splunk.com/t5/Splunk-Cloud-Platform/Is-it-possible-to-create-correlation-search-using-REST-API/m-p/579744#M1242 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/241794">@vinith97</a>&nbsp;</P><P>Yes, but I don't believe it's documented.</P><P>Correlation searches are saved searches similar to alerts with the correlationsearch action and various related actions: notable, risk, etc. The actions and their properties are defined in $SPLUNK_HOME/etc/apps/SA-ThreatIntelligence/default/alert_actions.conf.</P><P>There are various examples of correlation searches in savedsearches.conf in each of the app modules included with Splunk ES.</P><P>To reverse engineer the process, you can create a correlation search in the user interface and check savedsearches.conf to see which settings are applied. You can then duplicate the process using the saved/searches API endpoint (see <A href="https://docs.splunk.com/Documentation/Splunk/latest/RESTREF/RESTsearch#saved.2Fsearches" target="_self">https://docs.splunk.com/Documentation/Splunk/latest/RESTREF/RESTsearch#saved.2Fsearches</A>&nbsp;) and its action parameter. After the search is saved, you can modify action parameters with the saved/searches/{name} endpoint (see <A href="https://docs.splunk.com/Documentation/Splunk/latest/RESTREF/RESTsearch#saved.2Fsearches.2F.7Bname.7D" target="_self">https://docs.splunk.com/Documentation/Splunk/latest/RESTREF/RESTsearch#saved.2Fsearches.2F.7Bname.7D</A>&nbsp;).</P><P>If you don't have access to configuration files, you may need to test on a private instance. I don't use Splunk Cloud, and you may need to contact Splunk support to confirm your solution is supported.</P> Sun, 02 Jan 2022 22:27:33 GMT https://community.splunk.com/t5/Splunk-Cloud-Platform/Is-it-possible-to-create-correlation-search-using-REST-API/m-p/579744#M1242 tscroggins 2022-01-02T22:27:33Z https://community.splunk.com/t5/Splunk-Cloud-Platform/Is-it-possible-to-create-correlation-search-using-REST-API/m-p/603764#M1570 <P><A href="https://docs.splunk.com/Documentation/Splunk/9.0.0/RESTTUT/RESTsearches" target="_blank">https://docs.splunk.com/Documentation/Splunk/9.0.0/RESTTUT/RESTsearches</A></P><P>&nbsp;</P><P>Let me know if this works <a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/241794">@vinith97</a>&nbsp;</P> Wed, 29 Jun 2022 13:30:09 GMT https://community.splunk.com/t5/Splunk-Cloud-Platform/Is-it-possible-to-create-correlation-search-using-REST-API/m-p/603764#M1570 msjsplunk 2022-06-29T13:30:09Z