Security

ES (Enterprise Security) | Correlation Searches | Cannot Remove

aportela_work
Explorer

Hi - Am having problems removing a "correlation search". Have tried this via the SE UI from inside the editor and within the "correlation searches" list/page. Can't find a delete or remove button or anything else. Am on Splunk 5.02 with ES 2.4 app. Any ideas?

Thanks... Al

Tags (1)

clynch4283
Engager

There is no way to delete a correlation searches if you are on a single instance stopping splunk then removing the files from disk is going to be your best bet; how ever if you are using search head clustering or splunk cloud you can use the REST API to delete the object. This is not a supported method but it will act as a heavy handed approach.

In my case I had users delete the saved searches out from under ES so I am only going to show the removal of the correlation search config object.

First you need to URL encode the stanza you want to target.

Stanza in the file

[Network - AWS CloudTrail Logging - Rule]

Url encoded version

Network%20-%20AWS%20CloudTrail%20Logging%20-%20Rule

From the REST API docs we want to view the object first

https://<host>:<mPort>/services/configs/conf-correlationsearches/{stanza}

For my example the curl call would be

curl -k -u admin:changeme https://localhost:8089/services/configs/conf-correlationsearches/Network%20-%20AWS%20CloudTrail%20Lo...

This should return the XML for the object if you see "In handler 'conf-correlationsearches': Could not find object id=" STOP and check your URL encoding for your object.

If you see your object there then you only need to make a delete request for my example that would be.

curl -k -u admin:changeme --request DELETE https://localhost:8089/services/configs/conf-correlationsearches/Network%20-%20AWS%20CloudTrail%20Lo...

Then run your first call to the conf-correlationsearches endpoint again and you should see something like

<?xml version="1.0" encoding="UTF-8"?>
<response>
  <messages>
    <msg type="ERROR">
 In handler 'conf-correlationsearches': Could not find object id=Network - AWS CloudTrail Logging - Rule</msg>
  </messages>
</response>

That should be it; a restart of splunk is recommended but you can do a debug/refresh.

kausar
Path Finder

You can do something like:

index=notable | head 10 | delete

0 Karma

aportela_work
Explorer

hey, we found the solution, and below explains the process:
.
If the Correlated Search was called "Non-standard Access Detect" ...
and was created/configured with the "Access" domain assigned ...
the search will part of the SA-AccessProtection app ...

... So, will want to look for a search title that appends the domain and search names.
That is where we found a place to delete the specific Correlated Search.

Hurrah 🙂

0 Karma

aportela_work
Explorer

Forget to elaborate:
Can find/delete this Correlated Search like any regular search; from the "Searches and Reports" page of the Manager UI.

0 Karma

LukeMurphey
Champion

Unfortunately, deletion of correlation searches is not supported from the UI yet.

If the correlation search is one that is shipped with ES, then I don't recommend attempting to remove it. Instead, just disable it.

If the correlation search is a custom one, then the way to delete one is to find the instance in savedsearches.conf (should be under a local directory) and remove it manually. Restart Splunk after you prune the entry from the conf file.

aportela_work
Explorer

Thanks for looking into this.

0 Karma
Get Updates on the Splunk Community!

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...