Splunk Enterprise Security

How do you create a correlation search in Splunk Enterprise from a simple search of an index?

jdobbins_2
New Member

I have a simple search alert such as (index=A src_user=userA) which uses lookup tables to filter data. I'd like these alerts to create notable events of a specific type, and automatically get assigned to someone. It appears as though the only way to customize notable event information like this is with a correlation search.

Is there a way to use a simple search, such as above, as a correlation search to be able to utilize the advanced settings for a notable event? I have created a version of this search with a data model to use it as a correlation search, but it is extremely slow compared to the simple search equivalent.

Thanks

0 Karma

kamal_jagga
Contributor

Ideally the process is

Steps:
1. In ES ==> ES ==> Configure ==> Content Mgmt ==> Create New Content ==> Correlation Searches ==> New Correlation search.
2. Add your code in the search sections and fill up the rest of the fields.
3. Add notable action and save it.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...