Splunk Enterprise Security
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Splunk Enterprise Security: How to backup and version control correlation searches used?

claxpum0n
New Member
‎11-21-2019 10:13 AM

Hey everyone,

I've looked around for a little and but was trying to find out if there was a way to backup and do version control with comments on saved correlation searches.

We have multiple users that have access to our content in ES and wanted to do a well-documented version control/ backup of searches used in correlation search. We are currently doing this via private git instance but wanted to explore possibilities through Splunk.

I've found some guidance using index=_internal from below but didn't get too far working with different source types within the index.

https://answers.splunk.com/answers/525792/is-there-an-audit-log-that-tracks-changes-to-conte.html

Thanks!

0 Karma
Reply

gabriel_vasseur
Contributor
‎05-17-2023 02:54 AM

You might like https://splunkbase.splunk.com/app/6895 to track changes to your knowledge objects. It's no effort, doesn't require git or anything else, and works equally well on-prem and in cloud.

And it sounds like you should probably have a look at my ES Choreographer app: https://splunkbase.splunk.com/app/6309 as presented at .conf21 https://conf.splunk.com/files/2021/recordings/SEC1441A.mp4

0 Karma
Reply

gjanders
SplunkTrust
SplunkTrust
‎11-21-2019 07:07 PM

Have you looked at the apps for this?

FN1315 - Cover Your Assets: Protect Your Knowledge Objects from Yourself (and Others) - A Paychex st...
Git Version Control for Splunk
VersionControl For Splunk

There are pro's and con's to each solution, the last one is my version. It allows a user to restore via a dashboard but is likely the most complex of the mentioned solutions 🙂

-
Alerts for Splunk Admins, Version Control for Splunk, Decrypt2 VersionControl For SplunkCloud
Reply

securitypaul
Explorer
‎11-04-2020 02:36 AM

Splunk version 8.1 allows you to comment SPL searches. Maybe you could use that as a way to track changes.

https://www.youtube.com/watch?v=sN03YNKZeBM

https://docs.splunk.com/Documentation/Splunk/8.1.0/Search/Addcommentstosearches

0 Karma
Reply
Get Updates on the Splunk Community!

Announcing the Expansion of the Splunk Academic Alliance Program

The Splunk Community is more than just an online forum — it’s a network of passionate users, administrators, ...

Learn Splunk Insider Insights, Do More With Gen AI, & Find 20+ New Use Cases You Can ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Buttercup Games: Further Dashboarding Techniques (Part 7)

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...
Top