A correlation search is a type of scheduled search. It lets you detect suspicious events and patterns in your data. You can configure a correlation search to generate a notable event when search results meet specific conditions. The correlation search results must include at least one event to generate a notable. You can investigate notable events using the Incident Review dashboard in Splunk Enterprise Security and the Splunk App for PCI Compliance, or the Notable Events Review dashboard in Splunk IT Service Intelligence.
In Use Splunk Enterprise Security:
In the Splunk App for PCI Compliance Installation and Configuration Manual: