I received this messages error : The correlation search XXXX in app "SplunkEnterpriseSecuritySuite" has no corresponding saved searches stanza. Followings are the content of the savedsearches.conf and correlationsearches.conf.
Anyone encountered this and how to resolve this? It could be because I edit correlation search from settings > searches, report, and alert.
This is likely due to editing from searches, report and alert.
The 4.6 cloud only release notes mention that starting with this release, the correlationsearches.conf file is no longer used to define correlation searches. Instead, savedsearches.conf uniquely identifies correlation searches using the action.correlationsearch.enabled=1 parameter. The correlationsearches.conf file is deprecated.
To resolve your issue now, can you edit the existing correlation search in ES via Configure-Content Management? If it gives you an issue there, your best approach would probably be to grab the content from the saved search and correlation conf files and then re-create it in the Content Management section of ES to ensure things tie together.