Splunk Cloud Platform
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Is it possible to create correlation search using REST API Endpoint?

vinith97
New Member
‎12-28-2021 10:50 PM

Hello, Is it possible to create correlation search in splunk ES app using REST API?

Labels (1)
Labels
Tags (2)
0 Karma
Reply

msjsplunk
New Member
‎06-29-2022 06:30 AM

https://docs.splunk.com/Documentation/Splunk/9.0.0/RESTTUT/RESTsearches

 

Let me know if this works @vinith97 

0 Karma
Reply

tscroggins
Influencer
‎01-02-2022 02:27 PM

@vinith97 

Yes, but I don't believe it's documented.

Correlation searches are saved searches similar to alerts with the correlationsearch action and various related actions: notable, risk, etc. The actions and their properties are defined in $SPLUNK_HOME/etc/apps/SA-ThreatIntelligence/default/alert_actions.conf.

There are various examples of correlation searches in savedsearches.conf in each of the app modules included with Splunk ES.

To reverse engineer the process, you can create a correlation search in the user interface and check savedsearches.conf to see which settings are applied. You can then duplicate the process using the saved/searches API endpoint (see https://docs.splunk.com/Documentation/Splunk/latest/RESTREF/RESTsearch#saved.2Fsearches ) and its action parameter. After the search is saved, you can modify action parameters with the saved/searches/{name} endpoint (see https://docs.splunk.com/Documentation/Splunk/latest/RESTREF/RESTsearch#saved.2Fsearches.2F.7Bname.7D ).

If you don't have access to configuration files, you may need to test on a private instance. I don't use Splunk Cloud, and you may need to contact Splunk support to confirm your solution is supported.

Reply
Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...