Splunk Enterprise Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Splunk Enterprise Security: What is the distinction between savedsearch and correlation search?

jgbricker
Contributor
‎02-08-2017 11:34 AM

Trying to figure out why the Splunk Enterprise Security App has a savedsearch and a correlation search for brute force seems redundant but probably missing a key distinction. Can someone give me some guidance?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

starcher
Influencer
‎02-08-2017 11:42 AM

savedsearch is the search knowledge object for the notable. the correlationsearch.conf stanza goes with that and ES needs it for all the notable like settings. hooks to active responses, title, links for drill down etc.

View solution in original post

Reply
Solved! Jump to solution
Solution

starcher
Influencer
‎02-08-2017 11:42 AM

savedsearch is the search knowledge object for the notable. the correlationsearch.conf stanza goes with that and ES needs it for all the notable like settings. hooks to active responses, title, links for drill down etc.

Reply
Solved! Jump to solution

jgbricker
Contributor
‎02-08-2017 11:46 AM

Okay so to clarify further, I would need both if I were adding my own detections into the ES framework? I didn't see that in the documentation.

0 Karma
Reply
Solved! Jump to solution

starcher
Influencer
‎02-08-2017 12:05 PM

Yes and the GUI based create process handles all that for you.
http://docs.splunk.com/Documentation/ES/4.6.0/Tutorials/CorrelationSearch

0 Karma
Reply
Solved! Jump to solution

smoir_splunk
Splunk Employee
Splunk Employee
‎02-08-2017 12:04 PM

Yes, you would need stanzas in both if you were to add your own correlation searches. However, I'd recommend that you use the content management page to create the searches so that the proper attributes are saved in the proper locations. Starting in 4.6.0, only savedsearches.conf references are needed.

0 Karma
Reply
Solved! Jump to solution

jgbricker
Contributor
‎02-08-2017 12:07 PM

Okay, it does appear that when i add a correlation search via the UI (Content Management > Create Content) a savedsearch is created automatically. Doesn't this mean Splunk has to search for the same thing twice to do all the things it needs to do for ES. Perhaps I'm still confused here.

0 Karma
Reply
Solved! Jump to solution

smoir_splunk
Splunk Employee
Splunk Employee
‎02-08-2017 12:42 PM

No, the search isn't performed twice, it's just a detail about how the search is stored.

0 Karma
Reply
Get Updates on the Splunk Community!

New Case Study Shows the Value of Partnering with Splunk Academic Alliance

The University of Nevada, Las Vegas (UNLV) is another premier research institution helping to shape the next ...

How to Monitor Google Kubernetes Engine (GKE)

We’ve looked at how to integrate Kubernetes environments with Splunk Observability Cloud, but what about ...

Index This | How can you make 45 using only 4?

October 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...