In our Splunk Enterprise Security instance, I can't enable the default correlation searches that come with it.
I'm logged as Administrator in Splunk.
Hi mdessus,
I found the issue. ESS doesn't provide the edit_correlationsearches capability by default to the admin user.
Sorry for the bother and thanks for the help.
Hi mdessus,
I found the issue. ESS doesn't provide the edit_correlationsearches capability by default to the admin user.
Sorry for the bother and thanks for the help.
Hum... it used to !
Just to clarify, the ess_admin role gets the edit_correlationsearches capability assignment and the admin role should be inheriting the ess_admin role.
Thanks for the comment, ekost!
Umm maybe something went wrong in the installation?
Hi,
can you provide some details: What's happening when you try to enable them ? Is there an error message ? What version and OS are you running ? Do you have a Splunk license ?
Hi mdessus,
Thanks for the reply.
In the Actions column of the correlation searches, there is no toggle menu or button to enable the correlation. No, there is no error message being displayed, at least. I'm running ESS v4.5.1 on Windows. Yes, I have a Splunk license.
So, when you go to ES app / Configure / Content Management, there is nothing in the Actions column, in any pages ?
Have you done the ES setup ?
Do you have any errors when you go to Settings / Monitoring Console / Health Check ?
Any specific errors when you search index=_* ?
When I follow the mentioned path, in the Actions column of a correlation search, I can only see the action "Disabled".
I did the Splunk Enterprise Security Post-Install Configuration.
No, there are no errors in the Monitoring Console.
There was a Data Model that wasn't being found, but shared it through all the apps, and that fixed the issue, but other than that, there are no errors.