Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Rename the existing Correlation search?

renjujacob88
Path Finder
‎01-09-2018 08:12 AM

Hi Splunkers,

Whats the best way to rename the existing correlation search.?

alt text

Preview file
28 KB
Reply

sdoumbia4321
Engager
‎10-26-2020 10:29 PM


There is an easier solution.
Click Settings > Searches,reports and alerts > search the name of the correlation
Under Actions, click Edit > Advanced Edit > and edit "action.correlationsearch.label" > Save

If you refresh the content page , it should be the new name you set it to

Reply

jaxjohnny2000
Builder
‎01-17-2019 05:03 AM

https://docs.splunk.com/Documentation/ES/5.2.1/Admin/Upgradecorrelationsearches

Upgrade correlation searches in Splunk Enterprise Security
Starting in Splunk Enterprise Security version 4.6.0, correlationsearches.conf is no longer used to define correlation searches. Instead, savedsearches.conf uniquely identifies correlation searches using the action.correlationsearch.enabled=1 parameter. The correlationsearches.conf file is deprecated.

Reply

E83129
Engager
‎01-10-2019 06:20 PM

The above poster's answer does not work on the latest Enterprise Security version.

You must visit the following file

YOUR_SPLUNK_DIRECTORY/etc/apps/SplunkEnterpriseSecuritySuite/local/savedsearches.conf

Then modify two lines. I copied and pasted my config below with the parts that need to be modified in bold.

[Threat - User Failed to Login More Than 100 Times - Rule]
action.correlationsearch.enabled = 1
action.correlationsearch.label = User Failed to Login More Than 100 Times

Restart your Splunk instance after by running the following

sudo YOUR_SPLUNK_DIRECTORY/bin/splunk restart
Reply

mayurr98
Super Champion
‎01-09-2018 08:26 AM

Hi, they have to be renamed at the config file level because there are two configuration files involved.

Refer this link
https://answers.splunk.com/answers/138322/what-is-the-easiest-way-to-rename-a-correlation-search.htm...

steps:

cd ~/Downloads/SplunkEnterpriseSecurityInstaller/default/src/etc/apps/SA-ThreatIntelligence/default/

grep "Rule\]" savedsearches.conf 
 [Threat - Threat List Activity - Rule]
 [Threat - Watchlisted Events - Rule]

grep "Rule\]" correlationsearches.conf 
[Threat - Threat List Activity - Rule]
 [Threat - Watchlisted Events - Rule]

I hope this helps you!

Reply
Get Updates on the Splunk Community!

Splunk Mobile: Your Brand-New Home Screen

Meet Your New Mobile Hub  Hello Splunk Community!  Staying connected to your data—no matter where you are—is ...

Introducing Value Insights (Beta): Understand the Business Impact your organization ...

Real progress on your strategic priorities starts with knowing the business outcomes your teams are delivering ...

Enterprise Security (ES) Essentials 8.3 is Now GA — Smarter Detections, Faster ...

As of today, Enterprise Security (ES) Essentials 8.3 is now generally available, helping SOC teams simplify ...