Yes, the ES version is not compatible, we upgrade the ES version and it works.
Thank you 🙂

Yes, the ES version is not compatible, we upgrade the ES version and it works.
Thank you 🙂

Yes, the ES version is not compatible, we upgrade the ES version and it works.
Thank you 🙂

Was there an answer to why you were getting these messages that said correlation search has no corresponding saved searches stanza?

I'm seeing the same issue.

Spunk Enterprise version = 6.4.0
Enterprise Security= 4.0.1

savedsearches.conf and correlationsearches.conf look like same search name is available on both conf files.
for example, this is what I can see on both files.

correlationsearches.conf

[Access - Client_DEF_ACC_ShortLivedAccountDetected - Rule]
description = Detects when a account or credential is created and then removed a short time later. This may be an indication of malicious activities.
drilldown_name = View account change events of $user$
drilldown_search = | `datamodel("Change_Analysis", "Account_Management")` | search All_Changes.user="$user$" (All_Changes.action="created" OR All_Changes.action="deleted")
rule_description = Account $user$ on $dest$ created and deleted within $timestr$
rule_name = Client_DEF_ACC_ShortLivedAccountDetected
rule_title = Short-lived Account Detected ($user$)
security_domain = access
severity = high
default_owner = 
default_status = 
disabled = 0
search = 

savedsearches.conf

[Access - Client_DEF_ACC_ShortLivedAccountDetected - Rule]
action.keyindicator.invert = 0
action.risk = 1
action.risk._risk_object = system
action.risk._risk_object_type = system
action.risk._risk_score = 80
action.summary_index = 1
action.summary_index._name = notable
action.summary_index.ttl = 1p
alert.suppress = 1
alert.suppress.fields = const_dedup_id
alert.suppress.period = 14400s
alert.track = 0
counttype = number of events
cron_schedule = */15 * * * *
dispatch.earliest_time = -90m@m
dispatch.latest_time = +0m@m
enableSched = 1
quantity = 0
realtime_schedule = 0
relation = greater than
search = | datamodel Change_Analysis Account_Management search | search "All_Changes.action"="created" OR "All_Changes.action"="deleted" | rename All_Changes.* as * | streamstats values(Account_Management.src_user) AS src_user range(_time) as delta count by user,dest window=2 global=f | where count>1 AND delta

The version of ES that you're using isn't compatible with the version of Enterprise that you have installed (http://docs.splunk.com/Documentation/ES/4.0.1/Install/DeploymentPlanning#Splunk_Enterprise_system_re...) but that may or may not be the cause of this issue.

Are you creating the correlation search on the content management page within Enterprise Security?

There are quite a few correlation searches that come with Enterprise Security that are stored in DA-ESS-* apps (such as DA-ESS-EndpointProtection) so that is not the issue.