How to create multiple new custom data source cate...

julio-luz · ‎08-24-2022

Hello

I would like to create multiple new custom data source categories to use them in a Partner Integration app on Splunk Security Essentials.

I already read this documentation, then I was able to create a single new custom data source category. However, when trying to create multiple custom data source categories by changing the "company_name" of other security contents, there were no updates to the existing data source categories. Therefore, they were not created and only the first data source category that I had created continued to appear.

Finally, I noticed the following snippet in the SSE documentation in the "Populating Data Inventory" section: "[...] it will take any detections that have a create_data_inventory=true configuration. For the first piece of content that it finds, it will add a new item to data_inventory output [...]". And then I was in doubt if the app is really programmed to create only a new data source category informed, not creating the others, after having created the first.

So I have the following questions:
1. Is it possible to create multiple new custom data source categories?
2. How could I create them?

How to create multiple new custom data source categories on Splunk Security Essentials?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Quantify Your Splunk Investment Impact: Introducing Savings Metrics to Value Insights

Event Series: Telemetry Pipeline Management

Kick the Tires Before You Commit: A Hands-On Tour of the Splunk Observability Cloud ...

Join the Conversation