Splunk Search

Rename the existing Correlation search?

renjujacob88
Path Finder

Hi Splunkers,

Whats the best way to rename the existing correlation search.?

alt text

sdoumbia4321
Engager


There is an easier solution.
Click Settings > Searches,reports and alerts > search the name of the correlation
Under Actions, click Edit > Advanced Edit > and edit "action.correlationsearch.label" > Save

If you refresh the content page , it should be the new name you set it to

jaxjohnny2000
Builder

https://docs.splunk.com/Documentation/ES/5.2.1/Admin/Upgradecorrelationsearches

Upgrade correlation searches in Splunk Enterprise Security
Starting in Splunk Enterprise Security version 4.6.0, correlationsearches.conf is no longer used to define correlation searches. Instead, savedsearches.conf uniquely identifies correlation searches using the action.correlationsearch.enabled=1 parameter. The correlationsearches.conf file is deprecated.

E83129
Engager

The above poster's answer does not work on the latest Enterprise Security version.

You must visit the following file

YOUR_SPLUNK_DIRECTORY/etc/apps/SplunkEnterpriseSecuritySuite/local/savedsearches.conf

Then modify two lines. I copied and pasted my config below with the parts that need to be modified in bold.

[Threat - User Failed to Login More Than 100 Times - Rule]
action.correlationsearch.enabled = 1
action.correlationsearch.label = User Failed to Login More Than 100 Times

Restart your Splunk instance after by running the following

sudo YOUR_SPLUNK_DIRECTORY/bin/splunk restart

mayurr98
SplunkTrust
SplunkTrust

Hi, they have to be renamed at the config file level because there are two configuration files involved.

Refer this link
https://answers.splunk.com/answers/138322/what-is-the-easiest-way-to-rename-a-correlation-search.htm...

steps:

cd ~/Downloads/SplunkEnterpriseSecurityInstaller/default/src/etc/apps/SA-ThreatIntelligence/default/

grep "Rule\]" savedsearches.conf 
 [Threat - Threat List Activity - Rule]
 [Threat - Watchlisted Events - Rule]

grep "Rule\]" correlationsearches.conf 
[Threat - Threat List Activity - Rule]
 [Threat - Watchlisted Events - Rule]

I hope this helps you!

.conf21 CFS Extended through 5/20!

Don't miss your chance
to share your Splunk
wisdom in-person or
virtually at .conf21!

Call for Speakers has
been extended through
Thursday, 5/20!