Hi community,
I am trying to identify where all settings defining an alert/notable are stored at the backend?
Savedsearches.conf contain the alerts, but not sure how cron schedule and other settings for an alert/notable defined via the UI are stored at the backend of Splunk.
Thank you!
Everything should be in the savedsearches.conf file.
Try this search via the UI and it'll list all the enabled searches with a notable action. And all the notable action parameters.
| rest splunk_server=local /servicesNS/-/-/saved/searches
| search action.notable=1 disabled=0
| table author eai:acl.app eai:acl.owner eai:acl.sharing disabled cron_schedule dispatch.earliest_time dispatch.latest_time title search action.notable*
| rename eai:acl.* as *, action.not* as not*
Hi @DanAlexander,
maybe I'm wrong, but for my knowledge Correlation Searches are alerts, so all the parameters are in savedsearches.conf.
Put attention at which savedsearches,conf file are you viewing because in ES they are distributed in many add-ons.
ciao.
Giuseppe
Thanks for the reply @gcusello
Yes, you are right about thinking of an alert/notable as being a correlation search.
Can you please give me an example of a parameters record of anything I create as notable via the Splunk UI (is this still ES or is it not SE config area...apologies I might be completely wrong here as I am trying to get my head around configs ATM). The ES content of-the-shelf detection rules (ESCU) are stored somewhere as you have suggested, but I wonder where a notable created by me will get stored? Which config file will hold my UI input and what would be its relevant directory?
Regards,
Dan
Hi @DanAlexander,
you can see in the installed Apps, the list of installed Add-Ons for searching the savedsearches.conf, or you could run a search in the filesystem to identify all the conf files containing tour Correlation Searches.
Ciao.
Giuseppe