| eval "action.notable"=if('action.notable'=0,"TRUE","FALSE") | eval "action.notable"=mvfind(actions,"notable") | eval throttling=if('alert.suppress'=1,"TRUE","FALSE") | rest /services/alerts/correlationsearches I just stumbled upon this answer and thought I'd add my own query for getting all of the correlation search metadata: | localop How does Splunk tie the risk scores into the correlation search, and how would I go about attaching it to the search?
#SPLUNK ENTERPRISE PRICE LIST HOW TO#
Which gives me part of what I want, but I am unsure how to pull in the risk scores attached to the correlation search. This produces something like: security_domain rule_title csearch_name description severity csearch disabled statusĪccess Account Deleted Access - Account Deleted - Rule Detects user and computer account deletion medium 1 Disabled I have put together the following: |rest /services/alerts/correlationsearches|rename eai:acl:app as application, title as csearch_name |join type=outer app csearch_name |eval status=(if(disabled=1,"Disabled","Enabled")|table app security_domain, rule_title, csearch_name, description, severity, csearch, disabled, status Risk Object field (optional, but nice to have).I am trying to generate a list of existing correlation searches which includes the following details: