Re: How do I find a list of Correlation Searches i...

SamHTexas · ‎09-01-2021

Please help me with an SPL to locate Corr. searches that are in trouble , not working right. For example missing a macro or so. Thank u very much in advance.

lakshman239 · ‎09-03-2021

@SamHTexas you can look at index=_internal (sourcetype=splunkd OR sourcetype=scheduler) log_level="ERROR" to see all failures in the correlation search due to issues in macros or lookups. You can then tune the SPL as needed for your environment. Hope this helps.

SamHTexas · ‎09-03-2021

Thank u bro. for your message, do you have any good SPLs to share for this purpose? For Enterprise or ES? Thank u in advance.

lakshman239 · ‎09-08-2021

Something like this will do in Splunk Core or ES.

index=_internal (sourcetype=splunkd OR sourcetype=scheduler) log_level="ERROR" |rex field=_raw "savedsearch=(?<mysaved_search>.+) err=" | rex field=_raw "savedsearch_id=\"(?<mysavedsearch>.+)\", message=\"Error" | stats count by host, mysaved_search

You can then adjust as per your setup and perhaps setup an alert/correlation search to show you errors from macros/lookups within the correlation search in ES.

manojannabathin · ‎01-24-2023

how can check only skipped correlation search in splunk spl query

index=notable sourcetype=scheduler status!=success
| stats count as skipped_count by search_type user app savedsearch_name status

with this query i am getting all the skipped searches

could you help me on this

TIA

How do I find a list of correlation searches in ES or Splunk Ent. that are not working like missing macros etc...?

using Enterprise Security

Splunk Custom Visualizations App End of Life

Introducing Splunk Enterprise 9.2

Adoption of RUM and APM at Splunk