Hi,
ive got the below query that im using to try and see when correlation searches have been edited:
| rest splunk_server=local count=0 /servicesNS/-/SplunkEnterpriseSecuritySuite/saved/searches
| where match('action.correlationsearch.enabled', "1|[Tt]|[Tt][Rr][Uu][Ee]")
| where disabled=0
| eval actions=split(actions, ",")
| rename "eai:acl.owner" as "Created By"
| rename author as "Updated By"
| rename updated as "Update time"
| fields title, search, description, "Update time", "Updated By", "Created By"
The issue that I'm having here is that no matter what i try, I am unable to narrow this down to the last hour for example and it always returns the last couple of months.
Any help on this would be great!
Hi Ra1n,
the | rest command gives you the state of an endpoint - in this case savedsearches. Dit does not - what you might expect - gives you a history. That's why timebases searches are not working by default.
if you want an audit on your correlation searches, i would suggest implement a cicd workflow and have the app and/or savedsearches.conf file version controled... particularly if dealing in security environments.
best regards,
Andreas