Hello All,
I'm having an issue where I am unable to create new correlation searches. I get the following error:
There was an error saving the correlation search: In handler 'savedsearch': Data could not be written: /nobody/SplunkEnterpriseSecuritySuite/savedsearches/Threat
Also, the existing searches are not running nor showing up in ES.
Check the ownership and permissions on the savedsearches.conf file(s). If you're running SELinux, check the settings to make sure Splunk has access.
grep "denied" /var/log/audit/audit.log
@richgalloway - Yes, the file ownership was set incorrectly. Thank you for your help.
Check the ownership and permissions on the savedsearches.conf file(s). If you're running SELinux, check the settings to make sure Splunk has access.