Splunk Enterprise Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Splunk Enterprise Security: How to backup and version control correlation searches used?

claxpum0n
New Member
‎11-21-2019 10:13 AM

Hey everyone,

I've looked around for a little and but was trying to find out if there was a way to backup and do version control with comments on saved correlation searches.

We have multiple users that have access to our content in ES and wanted to do a well-documented version control/ backup of searches used in correlation search. We are currently doing this via private git instance but wanted to explore possibilities through Splunk.

I've found some guidance using index=_internal from below but didn't get too far working with different source types within the index.

https://answers.splunk.com/answers/525792/is-there-an-audit-log-that-tracks-changes-to-conte.html

Thanks!

Labels (1)
Labels
0 Karma
Reply

gabriel_vasseur
Contributor
‎05-17-2023 02:54 AM

You might like https://splunkbase.splunk.com/app/6895 to track changes to your knowledge objects. It's no effort, doesn't require git or anything else, and works equally well on-prem and in cloud.

And it sounds like you should probably have a look at my ES Choreographer app: https://splunkbase.splunk.com/app/6309 as presented at .conf21 https://conf.splunk.com/files/2021/recordings/SEC1441A.mp4

0 Karma
Reply

gjanders
SplunkTrust
SplunkTrust
‎11-21-2019 07:07 PM

Have you looked at the apps for this?

FN1315 - Cover Your Assets: Protect Your Knowledge Objects from Yourself (and Others) - A Paychex st...
Git Version Control for Splunk
VersionControl For Splunk

There are pro's and con's to each solution, the last one is my version. It allows a user to restore via a dashboard but is likely the most complex of the mentioned solutions 🙂

-
Alerts for Splunk Admins, Version Control for Splunk, Decrypt2 VersionControl For SplunkCloud
Reply

securitypaul
Explorer
‎11-04-2020 02:36 AM

Splunk version 8.1 allows you to comment SPL searches. Maybe you could use that as a way to track changes.

https://www.youtube.com/watch?v=sN03YNKZeBM

https://docs.splunk.com/Documentation/Splunk/8.1.0/Search/Addcommentstosearches

0 Karma
Reply
Get Updates on the Splunk Community!

3 Ways to Make OpenTelemetry Even Better

My role as an Observability Specialist at Splunk provides me with the opportunity to work with customers of ...

What's New in Splunk Cloud Platform 9.2.2406?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.2.2406 with many ...

Enterprise Security Content Update (ESCU) | New Releases

In August, the Splunk Threat Research Team had 3 releases of new security content via the Enterprise Security ...