Splunk Enterprise Security
Highlighted

Splunk Enterprise Security: Why can't I enable the default correlation searches as an admin user?

Communicator

In our Splunk Enterprise Security instance, I can't enable the default correlation searches that come with it.

I'm logged as Administrator in Splunk.

0 Karma
Highlighted

Re: Splunk Enterprise Security: Why can't I enable the default correlation searches as an admin user?

Splunk Employee
Splunk Employee

Hi,

can you provide some details: What's happening when you try to enable them ? Is there an error message ? What version and OS are you running ? Do you have a Splunk license ?

0 Karma
Highlighted

Re: Splunk Enterprise Security: Why can't I enable the default correlation searches as an admin user?

Communicator

Hi mdessus,

Thanks for the reply.

In the Actions column of the correlation searches, there is no toggle menu or button to enable the correlation. No, there is no error message being displayed, at least. I'm running ESS v4.5.1 on Windows. Yes, I have a Splunk license.

0 Karma
Highlighted

Re: Splunk Enterprise Security: Why can't I enable the default correlation searches as an admin user?

Splunk Employee
Splunk Employee

So, when you go to ES app / Configure / Content Management, there is nothing in the Actions column, in any pages ?
Have you done the ES setup ?
Do you have any errors when you go to Settings / Monitoring Console / Health Check ?
Any specific errors when you search index=_* ?

0 Karma
Highlighted

Re: Splunk Enterprise Security: Why can't I enable the default correlation searches as an admin user?

Communicator

When I follow the mentioned path, in the Actions column of a correlation search, I can only see the action "Disabled".

I did the Splunk Enterprise Security Post-Install Configuration.

No, there are no errors in the Monitoring Console.

There was a Data Model that wasn't being found, but shared it through all the apps, and that fixed the issue, but other than that, there are no errors.

0 Karma
Highlighted

Re: Splunk Enterprise Security: Why can't I enable the default correlation searches as an admin user?

Communicator

Hi mdessus,

I found the issue. ESS doesn't provide the edit_correlationsearches capability by default to the admin user.

Sorry for the bother and thanks for the help.

View solution in original post

0 Karma
Highlighted

Re: Splunk Enterprise Security: Why can't I enable the default correlation searches as an admin user?

Splunk Employee
Splunk Employee

Hum... it used to !

0 Karma
Highlighted

Re: Splunk Enterprise Security: Why can't I enable the default correlation searches as an admin user?

Communicator

Umm maybe something went wrong in the installation?

0 Karma
Highlighted

Re: Splunk Enterprise Security: Why can't I enable the default correlation searches as an admin user?

Splunk Employee
Splunk Employee

Just to clarify, the essadmin role gets the editcorrelationsearches capability assignment and the admin role should be inheriting the ess_admin role.

0 Karma
Highlighted

Re: Splunk Enterprise Security: Why can't I enable the default correlation searches as an admin user?

Communicator

Thanks for the comment, ekost!

0 Karma