topic Re: Splunk Enterprise Security: What is the distinction between savedsearch and correlation search? in Splunk Enterprise Security

Splunk Enterprise Security: What is the distinction between savedsearch and correlation search?

jgbricker — Wed, 08 Feb 2017 19:34:42 GMT

Trying to figure out why the Splunk Enterprise Security App has a savedsearch and a correlation search for brute force seems redundant but probably missing a key distinction. Can someone give me some guidance?

Re: Splunk Enterprise Security: What is the distinction between savedsearch and correlation search?

starcher — Wed, 08 Feb 2017 19:42:32 GMT

savedsearch is the search knowledge object for the notable. the correlationsearch.conf stanza goes with that and ES needs it for all the notable like settings. hooks to active responses, title, links for drill down etc.

Re: Splunk Enterprise Security: What is the distinction between savedsearch and correlation search?

jgbricker — Wed, 08 Feb 2017 19:46:02 GMT

Okay so to clarify further, I would need both if I were adding my own detections into the ES framework? I didn't see that in the documentation.

Re: Splunk Enterprise Security: What is the distinction between savedsearch and correlation search?

smoir_splunk — Wed, 08 Feb 2017 20:04:05 GMT

Yes, you would need stanzas in both if you were to add your own correlation searches. However, I'd recommend that you use the content management page to create the searches so that the proper attributes are saved in the proper locations. Starting in 4.6.0, only savedsearches.conf references are needed.

Re: Splunk Enterprise Security: What is the distinction between savedsearch and correlation search?

starcher — Wed, 08 Feb 2017 20:05:46 GMT

Yes and the GUI based create process handles all that for you.
http://docs.splunk.com/Documentation/ES/4.6.0/Tutorials/CorrelationSearch

Re: Splunk Enterprise Security: What is the distinction between savedsearch and correlation search?

jgbricker — Wed, 08 Feb 2017 20:07:09 GMT

Okay, it does appear that when i add a correlation search via the UI (Content Management > Create Content) a savedsearch is created automatically. Doesn't this mean Splunk has to search for the same thing twice to do all the things it needs to do for ES. Perhaps I'm still confused here.

Re: Splunk Enterprise Security: What is the distinction between savedsearch and correlation search?

smoir_splunk — Wed, 08 Feb 2017 20:42:24 GMT

No, the search isn't performed twice, it's just a detail about how the search is stored.