Solved: What are the differences between action.correlatio...

EssKay · ‎08-17-2023

Hi,

I got confused when running the following search to identify what are the enabled searches in the environment :

| rest splunk_server=local count=0 /services/saved/searches 
| where match('action.correlationsearch.enabled', "1|[Tt]|[Tt][Rr][Uu][Ee]") 
| rename eai:acl.app as app, title as csearch_name, action.correlationsearch.label as csearch_label, action.notable.param.security_domain as security_domain 
| table csearch_name, csearch_label, app, security_domain, description

Because I got a complete different result when I added:

disabled=0

Apparently, there are correlation searches with action.correlationsearch.enabled=1 and disabled=1 at the same time... what does that mean? I found the searches disabled from the content management, so why is the action.correlationsearch.enabled equals to 1?

richgalloway · ‎08-17-2023

The action.correlationsearch.enabled setting specifies whether or not the *action* is active (1) or not (0).

The disabled setting specifies whether or not the *search* is active (0) or not (1).

---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway · ‎08-17-2023

The action.correlationsearch.enabled setting specifies whether or not the *action* is active (1) or not (0).

The disabled setting specifies whether or not the *search* is active (0) or not (1).

---
If this reply helps you, Karma would be appreciated.

What are the differences between action.correlationsearch.enabled=1 and disabled=0

administration

correlation search

using Enterprise Security

Index This | Why did the turkey cross the road?

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

Feel the Splunk Love: Real Stories from Real Customers

Are you a member of the Splunk Community?