Re: How to fetch configured correlation data, quer...

sacumen · ‎03-20-2020

How to fetch configured correlation data, Query notable events, including associated correlation rules for an app?

rajashekar_s · ‎01-07-2021

@sacumen see if the following rest query gives what you are looking for

| rest /servicesNS/-/-/saved/searches
| search title=*
| table title cron_schedule eai:acl.owner actions dispatch.earliest_time dispatch.latest_time search

richgalloway · ‎03-20-2020

Query notable events with index=notable.
Correlations rules are stored in the app's savedsearches.conf files.
What other correlation data do you seek?

---
If this reply helps you, Karma would be appreciated.

indut · ‎10-26-2020

Thank you, I had the same query and this answer helped 🙂

sacumen · ‎03-21-2020

Thanks for responding, but I am trying to fetch all the available correlation data through rest call, is there any api to achieve this in splunk?

richgalloway · ‎03-23-2020

Again I ask what correlation data to you seek?
See the REST API manuals for how to get data from Splunk using REST. https://docs.splunk.com/Documentation/Splunk/8.0.2/RESTUM/RESTusing
https://docs.splunk.com/Documentation/Splunk/8.0.2/RESTREF/RESTprolog

---
If this reply helps you, Karma would be appreciated.

How to fetch configured correlation data, query notable events, including associated correlation rules for an app?

Index This | I’m short for "configuration file.” What am I?

New Articles from Academic Learning Partners, Help Expand Lantern’s Use Case Library, ...

Your Guide to SPL2 at .conf24!