Create a correlation search
A correlation search is a type of search that evaluates events from one or more data sources for defined patterns. When the search finds a pattern, it creates a notable event, adjusts a risk score, or performs an adaptive response action. A correlation search is a saved search with extended capabilities making it easier to create, edit, and use searches for security use cases.
This tutorial is for users who are comfortable with the Splunk Search Processing Language (SPL) and who understand data models and the Splunk App for Common Information Model.
You will learn how to create a correlation search using the guided search creation wizard.
- Part 1: Plan the use case for the correlation search.
- Part 2: Create a correlation search.
- Part 3: Create the correlation search in guided mode.
- Part 4: Schedule the correlation search.
- Part 5: Choose available adaptive response actions for the correlation search.
- Additional resources for creating a correlation search.
Splunk Enterprise Security tutorials | Part 1: Plan the use case for the correlation search |
This documentation applies to the following versions of Splunk® Enterprise Security: 4.5.0, 4.5.1, 4.5.2, 4.5.3, 4.6.0 Cloud only, 4.7.0, 4.7.1, 4.7.2, 4.7.3, 4.7.4, 4.7.5, 4.7.6, 5.0.0, 5.0.1, 5.1.0, 5.1.1, 5.2.0, 5.2.1, 5.2.2, 5.3.0, 5.3.1, 6.0.0, 6.0.1, 6.0.2, 6.1.0, 6.1.1, 6.2.0, 6.3.0 Cloud only, 6.4.0, 6.4.1, 6.5.0 Cloud only, 6.5.1 Cloud only, 6.6.0, 6.6.2
Feedback submitted, thanks!