There is no way to delete a correlation searches if you are on a single instance stopping splunk then removing the files from disk is going to be your best bet; how ever if you are using search head clustering or splunk cloud you can use the REST API to delete the object. This is not a supported method but it will act as a heavy handed approach.
In my case I had users delete the saved searches out from under ES so I am only going to show the removal of the correlation search config object.
First you need to URL encode the stanza you want to target.
Stanza in the file
[Network - AWS CloudTrail Logging - Rule]
Url encoded version
Network%20-%20AWS%20CloudTrail%20Logging%20-%20Rule
From the REST API docs we want to view the object first
https://<host>:<mPort>/services/configs/conf-correlationsearches/{stanza}
For my example the curl call would be
curl -k -u admin:changeme https://localhost:8089/services/configs/conf-correlationsearches/Network%20-%20AWS%20CloudTrail%20Logging%20-%20Rule
This should return the XML for the object if you see "In handler 'conf-correlationsearches': Could not find object id=" STOP and check your URL encoding for your object.
If you see your object there then you only need to make a delete request for my example that would be.
curl -k -u admin:changeme --request DELETE https://localhost:8089/services/configs/conf-correlationsearches/Network%20-%20AWS%20CloudTrail%20Logging%20-%20Rule
Then run your first call to the conf-correlationsearches endpoint again and you should see something like
<?xml version="1.0" encoding="UTF-8"?>
<response>
<messages>
<msg type="ERROR">
In handler 'conf-correlationsearches': Could not find object id=Network - AWS CloudTrail Logging - Rule</msg>
</messages>
</response>
That should be it; a restart of splunk is recommended but you can do a debug/refresh.
... View more
