splunk.es.splunk_correlation_search_info module – Gather information about Splunk Enterprise Security Correlation Searches
Note
This module is part of the splunk.es collection (version 5.0.0).
You might already have this collection installed if you are using the ansible package.
It is not included in ansible-core.
To check whether it is installed, run ansible-galaxy collection list.
To install it, use: ansible-galaxy collection install splunk.es.
To use it in a playbook, specify: splunk.es.splunk_correlation_search_info.
New in splunk.es 3.0.0
Synopsis
This module allows for querying information about Splunk Enterprise Security Correlation Searches.
Use this module to retrieve correlation search configurations without making changes.
This module uses the httpapi connection plugin and does not require local Splunk SDK.
Note
This module has a corresponding action plugin.
Parameters
Parameter |
Comments |
|---|---|
Name of correlation search to query. If not specified, returns all correlation searches. |
Examples
- name: Query specific correlation search by name
splunk.es.splunk_correlation_search_info:
name: "Brute Force Access Behavior Detected"
register: result
- name: Display the correlation search info
debug:
var: result.correlation_searches
- name: Query all correlation searches
splunk.es.splunk_correlation_search_info:
register: all_searches
- name: Display all correlation searches
debug:
var: all_searches.correlation_searches
- name: Find searches containing specific keyword
splunk.es.splunk_correlation_search_info:
register: all_searches
- set_fact:
filtered_searches: "{{ all_searches.correlation_searches |
selectattr('name', 'search', 'Brute Force') | list }}"
Return Values
Common return values are documented here, the following are the fields unique to this module:
Key |
Description |
|---|---|
Information about correlation search(es) Returned: always Sample: |
|
List of correlation search entries Returned: success |