Splunk Enterprise Security

Splunk Enterprise Security: How to backup and version control correlation searches used

New Member

Hey everyone,

I've looked around for a little and but was trying to find out if there was a way to backup and do version control with comments on saved correlation searches.

We have multiple users that have access to our content in ES and wanted to do a well-documented version control/ backup of searches used in correlation search. We are currently doing this via private git instance but wanted to explore possibilities through Splunk.

I've found some guidance using index=_internal from below but didn't get too far working with different source types within the index.



0 Karma


Have you looked at the apps for this?

FN1315 - Cover Your Assets: Protect Your Knowledge Objects from Yourself (and Others) - A Paychex st...
Git Version Control for Splunk
VersionControl For Splunk

There are pro's and con's to each solution, the last one is my version. It allows a user to restore via a dashboard but is likely the most complex of the mentioned solutions 🙂

Alerts for Splunk Admins https://splunkbase.splunk.com/app/3796/
Version Control for Splunk https://splunkbase.splunk.com/app/4355/


Splunk version 8.1 allows you to comment SPL searches. Maybe you could use that as a way to track changes.



0 Karma
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!