| Parameter |
Choices/Defaults |
Comments |
|
app
string
|
Default:
"SplunkEnterpriseSecuritySuite"
|
Splunk app to associate the correlation seach with
|
|
cron_schedule
string
|
Default:
"*/5 * * * *"
|
Enter a cron-style schedule.
For example '*/5 * * * *' (every 5 minutes) or '0 21 * * *' (every day at 9 PM).
Real-time searches use a default schedule of '*/5 * * * *'.
|
|
description
string
/ required
|
|
Description of the coorelation search, this will populate the description field for the web console
|
|
name
string
/ required
|
|
Name of coorelation search
|
|
schedule_priority
string
|
Choices:
Default ← - Higher
- Highest
|
Raise the scheduling priority of a report. Set to "Higher" to prioritize it above other searches of the same scheduling mode, or "Highest" to prioritize it above other searches regardless of mode. Use with discretion.
|
|
schedule_window
string
|
Default:
"0"
|
Let report run at any time within a window that opens at its scheduled run time, to improve efficiency when there are many concurrently scheduled reports. The "auto" setting automatically determines the best window width for the report.
|
|
scheduling
string
|
Choices:
real-time ← - continuous
|
Controls the way the scheduler computes the next execution time of a scheduled search.
Learn more: https://docs.splunk.com/Documentation/Splunk/7.2.3/Report/Configurethepriorityofscheduledreports#Real-time_scheduling_and_continuous_scheduling
|
|
search
string
/ required
|
|
SPL search string
|
|
state
string
/ required
|
Choices:
- present
- absent
- enabled
- disabled
|
Add, remove, enable, or disiable a correlation search.
|
|
suppress_alerts
boolean
|
|
To suppress alerts from this correlation search or not
|
|
throttle_fields_to_group_by
string
|
|
Type the fields to consider for matching events for throttling.
|
|
throttle_window_duration
string
|
|
How much time to ignore other events that match the field values specified in Fields to group by.
|
|
time_earliest
string
|
Default:
"-24h"
|
Earliest time using relative time modifiers.
|
|
time_latest
string
|
Default:
"now"
|
Latest time using relative time modifiers.
|
|
trigger_alert_when
string
|
Choices:
number of events ← - number of results
- number of hosts
- number of sources
|
Raise the scheduling priority of a report. Set to "Higher" to prioritize it above other searches of the same scheduling mode, or "Highest" to prioritize it above other searches regardless of mode. Use with discretion.
|
|
trigger_alert_when_condition
string
|
Choices:
greater than ← - less than
- equal to
- not equal to
- drops by
- rises by
|
Conditional to pass to trigger_alert_when
|
|
trigger_alert_when_value
string
|
Default:
"10"
|
Value to pass to trigger_alert_when
|
|
ui_dispatch_context
string
|
|
Set an app to use for links such as the drill-down search in a notable event or links in an email adaptive response action. If None, uses the Application Context.
|
