Splunk Enterprise Security

What are the differences between action.correlationsearch.enabled=1 and disabled=0

EssKay
Engager

Hi,

 

I got confused when running the following search to identify what are the enabled searches in the environment : 

| rest splunk_server=local count=0 /services/saved/searches 
| where match('action.correlationsearch.enabled', "1|[Tt]|[Tt][Rr][Uu][Ee]") 
| rename eai:acl.app as app, title as csearch_name, action.correlationsearch.label as csearch_label, action.notable.param.security_domain as security_domain 
| table csearch_name, csearch_label, app, security_domain, description

Because I got a complete different result when I added:

disabled=0

  Apparently, there are correlation searches with action.correlationsearch.enabled=1 and disabled=1 at the same time... what does that mean? I found the searches disabled from the content management, so why is the action.correlationsearch.enabled equals to 1?

0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

The action.correlationsearch.enabled setting specifies whether or not the *action* is active (1) or not (0).

The disabled setting specifies whether or not the *search* is active (0) or not (1).

---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway
SplunkTrust
SplunkTrust

The action.correlationsearch.enabled setting specifies whether or not the *action* is active (1) or not (0).

The disabled setting specifies whether or not the *search* is active (0) or not (1).

---
If this reply helps you, Karma would be appreciated.
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Get Updates on the Splunk Community!

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

🔐 Trust at Every Hop: How mTLS in Splunk Enterprise 10.0 Makes Security Simpler

From Idea to Implementation: Why Splunk Built mTLS into Splunk Enterprise 10.0  mTLS wasn’t just a checkbox ...