Splunk Search

Rename the existing Correlation search?

renjujacob88
Path Finder

Hi Splunkers,

Whats the best way to rename the existing correlation search.?

alt text

sdoumbia4321
Engager


There is an easier solution.
Click Settings > Searches,reports and alerts > search the name of the correlation
Under Actions, click Edit > Advanced Edit > and edit "action.correlationsearch.label" > Save

If you refresh the content page , it should be the new name you set it to

jaxjohnny2000
Builder

https://docs.splunk.com/Documentation/ES/5.2.1/Admin/Upgradecorrelationsearches

Upgrade correlation searches in Splunk Enterprise Security
Starting in Splunk Enterprise Security version 4.6.0, correlationsearches.conf is no longer used to define correlation searches. Instead, savedsearches.conf uniquely identifies correlation searches using the action.correlationsearch.enabled=1 parameter. The correlationsearches.conf file is deprecated.

E83129
Engager

The above poster's answer does not work on the latest Enterprise Security version.

You must visit the following file

YOUR_SPLUNK_DIRECTORY/etc/apps/SplunkEnterpriseSecuritySuite/local/savedsearches.conf

Then modify two lines. I copied and pasted my config below with the parts that need to be modified in bold.

[Threat - User Failed to Login More Than 100 Times - Rule]
action.correlationsearch.enabled = 1
action.correlationsearch.label = User Failed to Login More Than 100 Times

Restart your Splunk instance after by running the following

sudo YOUR_SPLUNK_DIRECTORY/bin/splunk restart

mayurr98
Super Champion

Hi, they have to be renamed at the config file level because there are two configuration files involved.

Refer this link
https://answers.splunk.com/answers/138322/what-is-the-easiest-way-to-rename-a-correlation-search.htm...

steps:

cd ~/Downloads/SplunkEnterpriseSecurityInstaller/default/src/etc/apps/SA-ThreatIntelligence/default/

grep "Rule\]" savedsearches.conf 
 [Threat - Threat List Activity - Rule]
 [Threat - Watchlisted Events - Rule]

grep "Rule\]" correlationsearches.conf 
[Threat - Threat List Activity - Rule]
 [Threat - Watchlisted Events - Rule]

I hope this helps you!

Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...