https://community.splunk.com/t5/Splunk-Enterprise-Security/How-do-I-find-a-list-of-correlation-searches-in-ES-or-Splunk-Ent/m-p/565792#M10257 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/228649">@SamHTexas</a>&nbsp; &nbsp;you can look at&nbsp; index=_internal (sourcetype=splunkd OR sourcetype=scheduler) log_level="ERROR" to see all failures in the correlation search due to issues in macros or lookups. You can then tune the SPL as needed for your environment.&nbsp; Hope this helps.</P> Fri, 03 Sep 2021 13:11:18 GMT lakshman239 2021-09-03T13:11:18Z https://community.splunk.com/t5/Splunk-Enterprise-Security/How-do-I-find-a-list-of-correlation-searches-in-ES-or-Splunk-Ent/m-p/565527#M10240 <P>Please help me with an SPL to locate Corr. searches that are in trouble , not working right. For example missing a macro or so. Thank u very much in advance.</P> Tue, 24 Jan 2023 15:09:25 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/How-do-I-find-a-list-of-correlation-searches-in-ES-or-Splunk-Ent/m-p/565527#M10240 SamHTexas 2023-01-24T15:09:25Z https://community.splunk.com/t5/Splunk-Enterprise-Security/How-do-I-find-a-list-of-correlation-searches-in-ES-or-Splunk-Ent/m-p/565792#M10257 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/228649">@SamHTexas</a>&nbsp; &nbsp;you can look at&nbsp; index=_internal (sourcetype=splunkd OR sourcetype=scheduler) log_level="ERROR" to see all failures in the correlation search due to issues in macros or lookups. You can then tune the SPL as needed for your environment.&nbsp; Hope this helps.</P> Fri, 03 Sep 2021 13:11:18 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/How-do-I-find-a-list-of-correlation-searches-in-ES-or-Splunk-Ent/m-p/565792#M10257 lakshman239 2021-09-03T13:11:18Z https://community.splunk.com/t5/Splunk-Enterprise-Security/How-do-I-find-a-list-of-correlation-searches-in-ES-or-Splunk-Ent/m-p/565836#M10258 <P>Thank u bro. for your message, do you have any good SPLs to share for this purpose? For Enterprise or ES? Thank u in advance.</P> Fri, 03 Sep 2021 16:05:02 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/How-do-I-find-a-list-of-correlation-searches-in-ES-or-Splunk-Ent/m-p/565836#M10258 SamHTexas 2021-09-03T16:05:02Z https://community.splunk.com/t5/Splunk-Enterprise-Security/How-do-I-find-a-list-of-correlation-searches-in-ES-or-Splunk-Ent/m-p/566298#M10264 <P>Something like this will do in Splunk Core or ES.</P><LI-CODE lang="markup">index=_internal (sourcetype=splunkd OR sourcetype=scheduler) log_level="ERROR" |rex field=_raw "savedsearch=(?&lt;mysaved_search&gt;.+) err=" | rex field=_raw "savedsearch_id=\"(?&lt;mysavedsearch&gt;.+)\", message=\"Error" | stats count by host, mysaved_search</LI-CODE><P>&nbsp;You can then adjust as per your setup and perhaps setup an alert/correlation search to show you&nbsp; errors from macros/lookups within the correlation search in ES.&nbsp;</P> Wed, 08 Sep 2021 12:25:35 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/How-do-I-find-a-list-of-correlation-searches-in-ES-or-Splunk-Ent/m-p/566298#M10264 lakshman239 2021-09-08T12:25:35Z https://community.splunk.com/t5/Splunk-Enterprise-Security/How-do-I-find-a-list-of-correlation-searches-in-ES-or-Splunk-Ent/m-p/628084#M11273 <P>how can check only skipped correlation search in splunk spl query<BR /><BR /><BR />index=notable sourcetype=scheduler status!=success<BR />| stats count as skipped_count by search_type user app savedsearch_name status</P><P>&nbsp;</P><P>with this query i am getting all the skipped searches&nbsp;<BR /><BR />could you help me on this<BR /><BR />TIA</P> Tue, 24 Jan 2023 10:41:10 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/How-do-I-find-a-list-of-correlation-searches-in-ES-or-Splunk-Ent/m-p/628084#M11273 manojannabathin 2023-01-24T10:41:10Z