Hello,
I have figured out a strange behavior of Splunk correlation searches. I'm using Splunk Enterprise version 7.0.1 and ES version 4.7.4.
I created a new app to store my custom correlation searches and ensured that it is accepted by Enterprise Security by naming it TA-custom-correlation-searches.
Inside that app I created under local a savedsearches.conf configuration with the following content.
#comment1
[Threat - correlation_search_1 - Rule]
configuration1=...
configuration2=...
....
#comment2
#comment3
#comment4
#comment5
[Threat - corelation_search_2 - Rule]
configuration1=...
configuration2=...
....
#comment6
Both correlation searches work as expected. At this point everything is fine.
Now, I disable both correlation searches in the ES app under Content Management and afterwards I took a look into my savedsearches.conf:
#comment1
[Threat - correlation_search_1 - Rule]
configuration1=...
configuration2=...
....
[Threat - corelation_search_2 - Rule]
configuration1=...
configuration2=...
....
#comment6
Splunk deleted all comments between the two correlation searches.
Did somebody figure out the same issue?
Thank you for your help.
Best regards,
Patrick
... View more