Knowledge Management
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Getting an error message as the rule has a malformed related_searches definition?

LRathinakumar
Explorer
‎11-15-2022 05:58 AM

Hello all,

I am getting an continuous error as the rule has a malformed related_searches definition. i have checked the lookup file as well and everything found normal but i am still getting the error. Is there any inconsistency in the query. The below is the query is used for alerting.

 

index=wineventlog source="*WinEventLog:Security" EventCode=4688
[
| inputlookup tools.csv WHERE discovery_or_attack=attack
| stats values(filename) as search ]
| transaction host maxpause=5m
| where eventcount>=4
| fields _raw closed_txn field_match_sum linecount

 

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎11-15-2022 06:55 AM

Please share the exact text of the error message and what you are doing when the message appears.   Please also share the savedsearches.conf stanza for the correlation search.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

LRathinakumar
Explorer
‎11-15-2022 09:32 AM

Hi @richgalloway 

 

Thank you for the reply.

 

Please find the error that was displayed frequently in messages column.

 

LRathinakumar_0-1668533223113.png

 

and i can't get the savedsearch.conf stanza as we are using the splunk cloud.

Thank you

 

 

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎11-16-2022 06:50 AM

If that correlation search was provided by a Splunk app then contact Splunk Cloud Support to have them re-install the app or correct the savedsearches.conf entry.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Index This | What is broken 80% of the time by February?

December 2025 Edition   Hayyy Splunk Education Enthusiasts and the Eternally Curious!    We’re back with this ...

Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...

Hello Splunk Community,   We're thrilled to share an exciting update that will help you manage your data more ...

Splunk MCP & Agentic AI: Machine Data Without Limits

Discover how the Splunk Model Context Protocol (MCP) Server can revolutionize the way your organization uses ...