Splunk search for Datamodels Used by Enterprise Security Correlation Searches
Copy
| rest splunk_server=local /services/saved/searches | where match(search,"datamodel") and 'action.correlationsearch.enabled'=1 | fields title search | rex field=search "datamodel=(?<datamodel1\S+)" | rex field=search "datamodel:(?<datamodel2>\S+)" | rex field=search "datamodel\s\"(?<datamodel3>[^\"]+)" | eval datamodel=coalesce(datamodel1,coalesce(datamodel2,datamodel3)) | table title search datamodel
This Splunk search can be used to determine what data models are currently being used by Splunk Enterprise Security Correlation Searches. This can be useful for identifying impact to changed correlation searches.