Splunk Enterprise Security

Splunk Enterprise Security: Why can't I enable the default correlation searches as an admin user?

Yaichael
Communicator

In our Splunk Enterprise Security instance, I can't enable the default correlation searches that come with it.

I'm logged as Administrator in Splunk.

0 Karma
1 Solution

Yaichael
Communicator

Hi mdessus,

I found the issue. ESS doesn't provide the edit_correlationsearches capability by default to the admin user.

Sorry for the bother and thanks for the help.

View solution in original post

0 Karma

Yaichael
Communicator

Hi mdessus,

I found the issue. ESS doesn't provide the edit_correlationsearches capability by default to the admin user.

Sorry for the bother and thanks for the help.

0 Karma

mdessus_splunk
Splunk Employee
Splunk Employee

Hum... it used to !

0 Karma

ekost
Splunk Employee
Splunk Employee

Just to clarify, the ess_admin role gets the edit_correlationsearches capability assignment and the admin role should be inheriting the ess_admin role.

0 Karma

Yaichael
Communicator

Thanks for the comment, ekost!

0 Karma

Yaichael
Communicator

Umm maybe something went wrong in the installation?

0 Karma

mdessus_splunk
Splunk Employee
Splunk Employee

Hi,

can you provide some details: What's happening when you try to enable them ? Is there an error message ? What version and OS are you running ? Do you have a Splunk license ?

0 Karma

Yaichael
Communicator

Hi mdessus,

Thanks for the reply.

In the Actions column of the correlation searches, there is no toggle menu or button to enable the correlation. No, there is no error message being displayed, at least. I'm running ESS v4.5.1 on Windows. Yes, I have a Splunk license.

0 Karma

mdessus_splunk
Splunk Employee
Splunk Employee

So, when you go to ES app / Configure / Content Management, there is nothing in the Actions column, in any pages ?
Have you done the ES setup ?
Do you have any errors when you go to Settings / Monitoring Console / Health Check ?
Any specific errors when you search index=_* ?

0 Karma

Yaichael
Communicator

When I follow the mentioned path, in the Actions column of a correlation search, I can only see the action "Disabled".

I did the Splunk Enterprise Security Post-Install Configuration.

No, there are no errors in the Monitoring Console.

There was a Data Model that wasn't being found, but shared it through all the apps, and that fixed the issue, but other than that, there are no errors.

0 Karma
Get Updates on the Splunk Community!

New in Observability - Improvements to Custom Metrics SLOs, Log Observer Connect & ...

The latest enhancements to the Splunk observability portfolio deliver improved SLO management accuracy, better ...

Improve Data Pipelines Using Splunk Data Management

  Register Now   This Tech Talk will explore the pipeline management offerings Edge Processor and Ingest ...

3-2-1 Go! How Fast Can You Debug Microservices with Observability Cloud?

Register Join this Tech Talk to learn how unique features like Service Centric Views, Tag Spotlight, and ...