Hi - Am having problems removing a "correlation search". Have tried this via the SE UI from inside the editor and within the "correlation searches" list/page. Can't find a delete or remove button or anything else. Am on Splunk 5.02 with ES 2.4 app. Any ideas?
There is no way to delete a correlation searches if you are on a single instance stopping splunk then removing the files from disk is going to be your best bet; how ever if you are using search head clustering or splunk cloud you can use the REST API to delete the object. This is not a supported method but it will act as a heavy handed approach.
In my case I had users delete the saved searches out from under ES so I am only going to show the removal of the correlation search config object.
First you need to URL encode the stanza you want to target.
Stanza in the file
[Network - AWS CloudTrail Logging - Rule]
Url encoded version
From the REST API docs we want to view the object first
For my example the curl call would be
curl -k -u admin:changeme https://localhost:8089/services/configs/conf-correlationsearches/Network%20-%20AWS%20CloudTrail%20Lo...
This should return the XML for the object if you see "In handler 'conf-correlationsearches': Could not find object id=" STOP and check your URL encoding for your object.
If you see your object there then you only need to make a delete request for my example that would be.
curl -k -u admin:changeme --request DELETE https://localhost:8089/services/configs/conf-correlationsearches/Network%20-%20AWS%20CloudTrail%20Lo...
Then run your first call to the conf-correlationsearches endpoint again and you should see something like
<?xml version="1.0" encoding="UTF-8"?> <response> <messages> <msg type="ERROR"> In handler 'conf-correlationsearches': Could not find object id=Network - AWS CloudTrail Logging - Rule</msg> </messages> </response>
That should be it; a restart of splunk is recommended but you can do a debug/refresh.
You can do something like:
index=notable | head 10 | delete
hey, we found the solution, and below explains the process:
If the Correlated Search was called "Non-standard Access Detect" ...
and was created/configured with the "Access" domain assigned ...
the search will part of the SA-AccessProtection app ...
... So, will want to look for a search title that appends the domain and search names.
That is where we found a place to delete the specific Correlated Search.
Forget to elaborate:
Can find/delete this Correlated Search like any regular search; from the "Searches and Reports" page of the Manager UI.
Unfortunately, deletion of correlation searches is not supported from the UI yet.
If the correlation search is one that is shipped with ES, then I don't recommend attempting to remove it. Instead, just disable it.
If the correlation search is a custom one, then the way to delete one is to find the instance in savedsearches.conf (should be under a local directory) and remove it manually. Restart Splunk after you prune the entry from the conf file.
Thanks for looking into this.