Splunk Enterprise Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why is the ES Incident Review page still lists deleted Correlation Searches in the Multiselect box "Correlation Search Name"?

rphillips_splun
Splunk Employee
Splunk Employee
‎04-19-2018 10:31 AM

The ES Incident Review page still lists deleted Correlation Searches Names in the Multiselect box "Correlation Search Name". We'd like to not see these correlation searches in this filter box after we delete them.

Reply
1 Solution
Solved! Jump to solution
Solution

rphillips_splun
Splunk Employee
Splunk Employee
‎04-19-2018 10:34 AM
  • This was built by design because currently the list is populated based on "any correlation we've ever known about"
  • This was done because you could potentially have notable events for that correlation even though the correlation was deleted
  • There's a proposed enhancement under SOLNESS-12987 to switch this over to a list that's more intelligent using the notable events on the system

Workaround:
1.) make sure there are no outstanding notable events tied to this correlation search
2.) remove the correlation search from the kvstore with an inputlookup / outputlookup by the _key for that correlation search

Example for correlation search "UC-104-TEST"
Process:
1) Find the key for the correlation search (e.g. "UC-104-TEST")
| inputlookup correlationsearches_lookup
| search rule_name = "UC-104-TEST"
| table _key, rule_name

Returns:
"Threat - UC-104-TEST - Rule" for the _key field

2) Delete the correlation search by using the key
| inputlookup correlationsearches_lookup
| search _key!="Threat - UC-104-TEST - Rule"
| outputlookup correlationsearches_lookup

View solution in original post

Reply
Solved! Jump to solution

vhallan_splunk
Splunk Employee
Splunk Employee
‎03-01-2019 08:09 AM

When raising this with Splunk Support please reference SOLNESS-15144

0 Karma
Reply
Solved! Jump to solution
Solution

rphillips_splun
Splunk Employee
Splunk Employee
‎04-19-2018 10:34 AM
  • This was built by design because currently the list is populated based on "any correlation we've ever known about"
  • This was done because you could potentially have notable events for that correlation even though the correlation was deleted
  • There's a proposed enhancement under SOLNESS-12987 to switch this over to a list that's more intelligent using the notable events on the system

Workaround:
1.) make sure there are no outstanding notable events tied to this correlation search
2.) remove the correlation search from the kvstore with an inputlookup / outputlookup by the _key for that correlation search

Example for correlation search "UC-104-TEST"
Process:
1) Find the key for the correlation search (e.g. "UC-104-TEST")
| inputlookup correlationsearches_lookup
| search rule_name = "UC-104-TEST"
| table _key, rule_name

Returns:
"Threat - UC-104-TEST - Rule" for the _key field

2) Delete the correlation search by using the key
| inputlookup correlationsearches_lookup
| search _key!="Threat - UC-104-TEST - Rule"
| outputlookup correlationsearches_lookup

Reply
Solved! Jump to solution

rphillips_splun
Splunk Employee
Splunk Employee
‎04-19-2018 10:32 AM

Steps to repro:
1. Create a correlation search
2. View the Incident Review page and click the multi select filter box for "Correlation Search Name" and find the correlation search
3. Delete the correlation search
4. The deleted correlation search still shows up in the filter box on the Incident Review page

0 Karma
Reply
Get Updates on the Splunk Community!

Improve Your Security Posture

Watch NowImprove Your Security PostureCustomers are at the center of everything we do at Splunk and security ...

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...