Splunk Enterprise Security

Can you run a correlation search as an adaptive response or can you run a correlation search from a python script?


Hi all,

I have created an adaptive response collects information from a host and indexes it.

I have attached this adaptive response to a correlation search.

I would now like to have the collected information be available in the "Additional Fields" portion of the Incident Review page. This is an issue because that menu is populated by the events returned from the initial search.

The solution I've come to is to have two correlation searches, one to trigger my adaptive response and a second to search for both data and trigger only when the collected data has been found as well. The issue with that is suddenly I need two nearly identical searches which is doubling the search load.

So, finally: Is there a way to streamline this without having to run two correlation searches in parallel? Is there an addon that someone made that I don't know about that allows us to trigger another correlation search "ad hoc" as an adaptive response? Is there a way to run a correlation search via a python script (which is an adaptive response)?

This isn't a one off, I have plenty of searches I need to make this adjustment to so doubling them up is out of the picture, unfortunately.

0 Karma


This might help answer the spirit of what you are trying to do.


The gist of it is. Add a field to incident review settings. Have that field be returned by a lookup based on a field in your notable. Shim the lookup into incident review. Have your adaptive response code go get data and either index it and maintain the lookup off that or update the lookup directly rather than indexing if its a kvstore lookup.

0 Karma
Get Updates on the Splunk Community!

Observability Highlights | January 2023 Newsletter

 January 2023New Product Releases Splunk Network Explorer for Infrastructure MonitoringSplunk unveils Network ...

Security Highlights | January 2023 Newsletter

January 2023 Splunk Security Essentials (SSE) 3.7.0 ReleaseThe free Splunk Security Essentials (SSE) 3.7.0 app ...

Platform Highlights | January 2023 Newsletter

 January 2023Peace on Earth and Peace of Mind With Business ResilienceAll organizations can start the new year ...