Splunk Search

The correlation search "Network - blah blah blah - Rule" in app "DA-ESS-AccessProtection" has no corresponding saved searches stanza.


Hi. There is no direct way to remove the correlation search via ES UI. We found that the rule was removed from "Searches, reports, and alerts", and it seems this "works" as expected because the correlation search does not show up from "Content Management". However, we are getting messages like "The correlation search "Network - blah blah blah - Rule" in app "DA-ESS-AccessProtection" has no corresponding saved searches stanza." When looked into the back-end, the correlation search is still remaining in "correlationsearches.conf", but there is no saved searches corresponding to this correlation search under "savedsearches.conf". Does anyone know how to fix this issue? Thanks.

Tags (1)


This can also be done via the REST API:

You have a stanza entry in correlationsearches.conf called "Access - My Test Search - Rule"

List the stanza item first to check you have the right place. You might need to change the app from the below - depending on what app you saved your correlation search in. Additionally you will need to use URL encoded names due to the spaces ES uses in their search naming:

curl -k -u admin:changeme https://searchhead.mysplunkenv.com:8089/servicesNS/nobody/SplunkEnterpriseSecuritySuite/configs/conf...

Assuming you get back results and it matches what you want to delete, now run the following (note the addition of -X and "DELETE"):

curl -k -X "DELETE" -u admin:changeme https://searchhead.mysplunkenv.com:8089/servicesNS/nobody/SplunkEnterpriseSecuritySuite/configs/conf...

As with any time you delete something you are going to want to test this before you start pulling the trigger. For example, I ran a quick test on a local Splunk environment, creating a correlationsearches.conf and then adding in some stanzas, then having a go at deleting them via this command etc. The SH in question may also need a restart due to the conf change but not sure, maybe a debug refresh will suffice or maybe when you do things via REST like this, there is no need to do either.


Can confirm that you don't need to restart after deleting the entry from correlationsearches.conf. The errors go away the next day.

0 Karma


So you don't want that correlation search anymore? If not, and it's already gone from savedsearches, just remove the stanza from correlationsearches.conf too. Depending on your environment, that might be accomplished a few different ways, e.g. cluster, (local or on the deployer) or standalone.

Side note, we are a few versions behind on ES, but I think removing a correlation search from the web should be possible. If that doesn't work and you think it should, maybe open a case with Splunk.

0 Karma


You still cant (as of ES 4.1.0) do this from the GUI and it is a pain if you are a Splunk cloud customer as you have no access to the back end configuration files. If you remove the savedsearch, then there will be errors every day due to the correlation search not being mapped to a corresponding saved search.

0 Karma


Its not just a pain for cloud users, you should be able to delete a correlation search on one point without touching the files itself. Can anyone from splunk tell if this bug is going to be (or already is fixed) in a future es release?

0 Karma
Get Updates on the Splunk Community!

Splunk Observability Cloud | Unified Identity - Now Available for Existing Splunk ...

Raise your hand if you’ve already forgotten your username or password when logging into an account. (We can’t ...

Index This | How many sides does a circle have?

February 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

Registration for Splunk University is Now Open!

Are you ready for an adventure in learning?   Brace yourselves because Splunk University is back, and it's ...