Deployment Architecture

Is it possible to enable correlated search in ES by editing savedsearch.conf directly in the CLI without Web UI?

goji
Path Finder

Hi, 

There are many app and correlation searches in each app in Enterprise Security.
I understand that I can enable/disable correlation search using ES Web Interface, but I want to manage using CLI about enabling/disabling correlation search.
I mean, I just want to change many rules and many apps to  "disabled = 0" or "disabled =1" in savedsearch.conf using CLI(like shell).

I already tried the below test after savedsearch.conf from CLI

access to : https://ip:8000/en-US/debug/refresh
access to : https://ip:8000/en-US/_bump

However, the disable/enable changes are not reflected when I look at the web for purpose of checking.

Does anyone know how to make changes to ES correlation rules(savedsearch.conf) in the CLI and update searches without rebooting Splunk?

Labels (1)
Tags (1)
0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @goji,

you question is very strange because enabling a correlation search by CLI is possible but not hinted: you could make some error and it requires a Splunk restart on the Search Head.

debud/refresh works but it's like a restart and you should do everytime you make an update.

In addition, as you said, ES is composed by many Add-Ons and there could be some customizations, so it could be very hard to correctly identify the files to modify.

In addition, you should also copy the savedsearches.conf files from the default folder to the local folder of each TA and it isn't an immediate operation.

In addition, if you have a Search Head Cluster it isn't possible because in a cluster it isn't possible to manually modify a configuration.

So at the end, why do you want to do this? In my opinion it isnt a good idea because is slower than GUI approach and there's more risk of an error.

Ciao.

Giuseppe

0 Karma

goji
Path Finder

@gcusello 

Thank you for telling me your opinion!

There are two reasons.

The first reason is that the ES content management web interface does not allow data source selection; you can specify data sources in SSE, but not in ES. So after selecting data sources in SSE, I have to enable them visually one by one in the ES content management web interface. Its like a copy/past, copy/past copy/past, This feels like a waste of time. So I am thinking of creating a script that simply extracts default/savedsearch.conf for each Apps and let them specify the data source using rest, and save only the necessary ones in local/savedsearch.conf for each App.
But when I changed savedsearch.conf in the CLI, it didn't reflect the change, which is why I asked this question.
Debug/reflesh didn't work, so if I need to reboot, that's what I'm going to do.

The second is from a backup/recovery perspective. I want to manage multiple generations of each policy set. And if necessary, I want to easily restore what I have saved in the CLI. I understand that we can still do backups to the Apps we have created, but I am fed up with the large number of Apps that will be created if we manage them frequently.

Also, I only intend to set diabled=1/0 for local/savedsearch. I don't set anything else, so I don't think there are any configuration issues.

Ciao

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @goji,

I agree with you: it's very strange that in ES there isn't a feature to associate Data with Data Source as SSE.

You could insert this feature in Splunk Ideas.

In addition, if you install SSE in the same server of ES you can you its Data Source Analysis features.

Anyway, the work to do you job is very hard, and I hint to think to this, in my opinion it's easier to manually analyze each Correlation Search in ES and find the interesting ones, also because Data sources are described in the Correlation Search Description.

Good luck!

Ciao.

Giuseppe

0 Karma

goji
Path Finder

Hi, @gcusello ,

Yes, I agree. I gonna certainly try to post to Splunk Idea as well since this is about ES functionality.
Well, I don't know if I can do it, but I will try this one.

Chao!!

0 Karma
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...