https://community.splunk.com/t5/Splunk-Enterprise-Security/Commands-not-usable-from-Enterprise-Security/m-p/354616#M3397 <P>Yeah, ES is a special kind of app. You'll need to check that link jkat54 mentioned.</P> Tue, 14 Mar 2017 14:24:13 GMT muebel 2017-03-14T14:24:13Z https://community.splunk.com/t5/Splunk-Enterprise-Security/Commands-not-usable-from-Enterprise-Security/m-p/354611#M3392 <P>I have an app installed from Splunkbase, which has custom search command defined in it. I've set the commands to be globally available, and it works fine. I can invoke the commands from any of the apps I have in Splunk, except Enterprise Security.</P> <P>Is there a way to configure ES to be able to invoke commands from other app's context?</P> Tue, 14 Mar 2017 13:32:53 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/Commands-not-usable-from-Enterprise-Security/m-p/354611#M3392 szabados 2017-03-14T13:32:53Z https://community.splunk.com/t5/Splunk-Enterprise-Security/Commands-not-usable-from-Enterprise-Security/m-p/354612#M3393 <P>Check the default.meta and local.meta in the ess app/metadata folder to see if there is an IMPORT key.</P> <P>If so, add your app to that key</P> Tue, 14 Mar 2017 13:39:28 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/Commands-not-usable-from-Enterprise-Security/m-p/354612#M3393 jkat54 2017-03-14T13:39:28Z https://community.splunk.com/t5/Splunk-Enterprise-Security/Commands-not-usable-from-Enterprise-Security/m-p/354613#M3394 <P>Hi szabados, ES uses a modular input to control what is allowed in the app context. This input is called <CODE>app_imports_update</CODE></P> <P>The input has a few config directives, <CODE>app_regex</CODE> in particular controls what comes in. You'll have to update this regex to include the pattern that matches the name of the app you want in.</P> <P>More info available here:<BR /> <A href="http://docs.splunk.com/Documentation/ES/4.6.0/Install/InstallTechnologyAdd-ons">http://docs.splunk.com/Documentation/ES/4.6.0/Install/InstallTechnologyAdd-ons</A></P> <P>Please let me know if this answers your question! <span class="lia-unicode-emoji" title=":grinning_face_with_smiling_eyes:">😄</span></P> Tue, 14 Mar 2017 13:46:20 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/Commands-not-usable-from-Enterprise-Security/m-p/354613#M3394 muebel 2017-03-14T13:46:20Z https://community.splunk.com/t5/Splunk-Enterprise-Security/Commands-not-usable-from-Enterprise-Security/m-p/354614#M3395 <P>Thanks, this has been a headache for me for a while <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Tue, 14 Mar 2017 13:52:58 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/Commands-not-usable-from-Enterprise-Security/m-p/354614#M3395 szabados 2017-03-14T13:52:58Z https://community.splunk.com/t5/Splunk-Enterprise-Security/Commands-not-usable-from-Enterprise-Security/m-p/354615#M3396 <P>As per muebel's comment below, ES may revert this change when it runs it's configuration checkers. Sounds like you need to do what he is suggesting by editing the modular input called app_imports_update.</P> <P><A href="http://docs.splunk.com/Documentation/ES/4.6.0/Install/InstallTechnologyAdd-ons#Import_custom_apps_and_add-ons" target="_blank">http://docs.splunk.com/Documentation/ES/4.6.0/Install/InstallTechnologyAdd-ons#Import_custom_apps_and_add-ons</A></P> Tue, 29 Sep 2020 13:13:19 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/Commands-not-usable-from-Enterprise-Security/m-p/354615#M3396 jkat54 2020-09-29T13:13:19Z https://community.splunk.com/t5/Splunk-Enterprise-Security/Commands-not-usable-from-Enterprise-Security/m-p/354616#M3397 <P>Yeah, ES is a special kind of app. You'll need to check that link jkat54 mentioned.</P> Tue, 14 Mar 2017 14:24:13 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/Commands-not-usable-from-Enterprise-Security/m-p/354616#M3397 muebel 2017-03-14T14:24:13Z https://community.splunk.com/t5/Splunk-Enterprise-Security/Commands-not-usable-from-Enterprise-Security/m-p/354617#M3398 <P>In ES you can go to "Configure&gt;General&gt;App Imports Update". From there just change the settings for update_es: </P> <P>update_es (SA-.<EM>)|(Splunk_SA_.</EM>) (appsbrowser)|(search)|([ST]A-.<EM>)|(Splunk_[ST]A_.</EM>)|(DA-ESS-.<EM>)|(Splunk_DA-ESS_.</EM>)|(slack_alerts)</P> <P>In my case I just added |(slack_alerts) to the regex which will import the app slack_alerts from Splunkbase.</P> Tue, 29 Sep 2020 13:13:52 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/Commands-not-usable-from-Enterprise-Security/m-p/354617#M3398 kchamplin_splun 2020-09-29T13:13:52Z