Solved: How to delete a correlation search

torowa · ‎07-28-2021

Hi Splunkers.

I'm looking for a way to delete a correlation search that has been created with the wrong name (as ES doesn't let you rename them).

The CS is currently disabled but I don't see a way to actually delete it.

I see some previous answers here but they involve direct access to the .conf file which isn't an option in this particular environment, so looking for a way to do this from the SH.

Thanks.

DavidHourani · ‎07-28-2021

Oh okay, in that case, go under : Settings > Searches, reports, and alerts

You should be able to see your saved search there and delete it.

View solution in original post

DavidHourani · ‎07-28-2021

Hi @torowa,

If it's one of the OOTB use cases it's best to simply disable it. Deleting it from the default configuration file will be temporary since the next time ES is upgraded the default configuration files are re-installed and the CS will show back up again.

Cheers,

David

torowa · ‎07-28-2021

Unfortunately this is a custom Correlation Search.

DavidHourani · ‎07-28-2021

Oh okay, in that case, go under : Settings > Searches, reports, and alerts

You should be able to see your saved search there and delete it.

torowa · ‎07-29-2021

Thanks @DavidHourani.

That did the trick.
I didn't realize that correlation searches could be deleted back with the other searches.

Was trying to do this from the Content Management screen from within ES.

How to delete a correlation search

other

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases