Splunk Enterprise Security

Splunk Enterprise Security: Why am I receiving error "The correlation search...has no corresponding saved searches stanza"?

dellytaniasetia
Explorer

Hi,

I received this messages error : The correlation search XXXX in app "SplunkEnterpriseSecuritySuite" has no corresponding saved searches stanza. Followings are the content of the savedsearches.conf and correlationsearches.conf.

Anyone encountered this and how to resolve this? It could be because I edit correlation search from settings > searches, report, and alert.

In the local/savedsearches.conf

[Rule Name - XXXXXXXXX]
action.keyindicator.invert = 0
action.makestreams.param.verbose = 0
action.nbtstat.param.verbose = 0
action.notable = 1
action.notable.param.verbose = 0
action.nslookup.param.verbose = 0
action.ping.param.verbose = 0
action.risk.param.verbose = 0
action.send2uba.param.verbose = 0
alert.suppress = 1
alert.suppress.fields = const_dedup_id
alert.suppress.period = 3600s
alert.track = 0
auto_summarize.dispatch.earliest_time = -1d@h
cron_schedule = */20 * * * *
disabled = 1
dispatch.earliest_time = -20m
dispatch.latest_time = now
dispatch.rt_backfill = 1
enableSched = 1
search = index=fireeye source=hx 

In the local/correlationsearches.conf

[Rule Name - XXXXXXXXX]
description = description of the rule
next_steps = {"version":1, "data":""}
rule_description = description of the rule
rule_name = XXXXX
rule_title = XXXXX
security_domain = endpoint
severity = high
0 Karma

jstoner_splunk
Splunk Employee
Splunk Employee

This is likely due to editing from searches, report and alert.

The 4.6 cloud only release notes mention that starting with this release, the correlationsearches.conf file is no longer used to define correlation searches. Instead, savedsearches.conf uniquely identifies correlation searches using the action.correlationsearch.enabled=1 parameter. The correlationsearches.conf file is deprecated.

The cloud release has some additional steps that will be needed post upgrade so when our next version comes out, I expect similar steps to be called out. If you want to check out the cloud notes about what we are doing there, you can find it here: http://docs.splunk.com/Documentation/ES/4.6.0/User/ConfigureCorrelationSearches#Correlation_searches...

To resolve your issue now, can you edit the existing correlation search in ES via Configure-Content Management? If it gives you an issue there, your best approach would probably be to grab the content from the saved search and correlation conf files and then re-create it in the Content Management section of ES to ensure things tie together.

Get Updates on the Splunk Community!

NEW! Log Views in Splunk Observability Dashboards Gives Context From a Single Page

Today, Splunk Observability releases log views, a new feature for users to add their logs data from Splunk Log ...

Last Chance to Submit Your Paper For BSides Splunk - Deadline is August 12th!

Hello everyone! Don't wait to submit - The deadline is August 12th! We have truly missed the community so ...

Ready, Set, SOAR: How Utility Apps Can Up Level Your Playbooks!

 WATCH NOW Powering your capabilities has never been so easy with ready-made Splunk® SOAR Utility Apps. Parse ...