Splunk Search
Highlighted

Rename the existing Correlation search?

Path Finder

Hi Splunkers,

Whats the best way to rename the existing correlation search.?

alt text

0 Karma
Highlighted

Re: Rename the existing Correlation search?

SplunkTrust
SplunkTrust

Hi, they have to be renamed at the config file level because there are two configuration files involved.

Refer this link
https://answers.splunk.com/answers/138322/what-is-the-easiest-way-to-rename-a-correlation-search.htm...

steps:

cd ~/Downloads/SplunkEnterpriseSecurityInstaller/default/src/etc/apps/SA-ThreatIntelligence/default/

grep "Rule\]" savedsearches.conf 
 [Threat - Threat List Activity - Rule]
 [Threat - Watchlisted Events - Rule]

grep "Rule\]" correlationsearches.conf 
[Threat - Threat List Activity - Rule]
 [Threat - Watchlisted Events - Rule]

I hope this helps you!

0 Karma
Highlighted

Re: Rename the existing Correlation search?

Engager

The above poster's answer does not work on the latest Enterprise Security version.

You must visit the following file

YOUR_SPLUNK_DIRECTORY/etc/apps/SplunkEnterpriseSecuritySuite/local/savedsearches.conf

Then modify two lines. I copied and pasted my config below with the parts that need to be modified in bold.

[Threat - User Failed to Login More Than 100 Times - Rule]
action.correlationsearch.enabled = 1
action.correlationsearch.label = User Failed to Login More Than 100 Times

Restart your Splunk instance after by running the following

sudo YOUR_SPLUNK_DIRECTORY/bin/splunk restart
Highlighted

Re: Rename the existing Correlation search?

Contributor

https://docs.splunk.com/Documentation/ES/5.2.1/Admin/Upgradecorrelationsearches

Upgrade correlation searches in Splunk Enterprise Security
Starting in Splunk Enterprise Security version 4.6.0, correlationsearches.conf is no longer used to define correlation searches. Instead, savedsearches.conf uniquely identifies correlation searches using the action.correlationsearch.enabled=1 parameter. The correlationsearches.conf file is deprecated.

0 Karma