Splunk Enterprise Security
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Commands not usable from Enterprise Security?

szabados
Communicator
‎03-14-2017 06:32 AM

I have an app installed from Splunkbase, which has custom search command defined in it. I've set the commands to be globally available, and it works fine. I can invoke the commands from any of the apps I have in Splunk, except Enterprise Security.

Is there a way to configure ES to be able to invoke commands from other app's context?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

jkat54
SplunkTrust
SplunkTrust
‎03-14-2017 06:39 AM

Check the default.meta and local.meta in the ess app/metadata folder to see if there is an IMPORT key.

If so, add your app to that key

View solution in original post

0 Karma
Reply
Solved! Jump to solution

muebel
SplunkTrust
SplunkTrust
‎03-14-2017 06:46 AM

Hi szabados, ES uses a modular input to control what is allowed in the app context. This input is called app_imports_update

The input has a few config directives, app_regex in particular controls what comes in. You'll have to update this regex to include the pattern that matches the name of the app you want in.

More info available here:
http://docs.splunk.com/Documentation/ES/4.6.0/Install/InstallTechnologyAdd-ons

Please let me know if this answers your question! 😄

Reply
Solved! Jump to solution

kchamplin_splun
Splunk Employee
Splunk Employee
‎03-14-2017 08:49 AM

In ES you can go to "Configure>General>App Imports Update". From there just change the settings for update_es:

update_es (SA-.)|(Splunk_SA_.) (appsbrowser)|(search)|([ST]A-.)|(Splunk_[ST]A_.)|(DA-ESS-.)|(Splunk_DA-ESS_.)|(slack_alerts)

In my case I just added |(slack_alerts) to the regex which will import the app slack_alerts from Splunkbase.

0 Karma
Reply
Solved! Jump to solution
Solution

jkat54
SplunkTrust
SplunkTrust
‎03-14-2017 06:39 AM

Check the default.meta and local.meta in the ess app/metadata folder to see if there is an IMPORT key.

If so, add your app to that key

0 Karma
Reply
Solved! Jump to solution

szabados
Communicator
‎03-14-2017 06:52 AM

Thanks, this has been a headache for me for a while 🙂

0 Karma
Reply
Solved! Jump to solution

muebel
SplunkTrust
SplunkTrust
‎03-14-2017 07:24 AM

Yeah, ES is a special kind of app. You'll need to check that link jkat54 mentioned.

0 Karma
Reply
Solved! Jump to solution

jkat54
SplunkTrust
SplunkTrust
‎03-14-2017 07:02 AM

As per muebel's comment below, ES may revert this change when it runs it's configuration checkers. Sounds like you need to do what he is suggesting by editing the modular input called app_imports_update.

http://docs.splunk.com/Documentation/ES/4.6.0/Install/InstallTechnologyAdd-ons#Import_custom_apps_an...

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Index This | What travels the world but is also stuck in place?

April 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Realizing the full potential of your Splunk investment requires more than just understanding current usage; it ...

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

As data volumes continue to grow and environments become more distributed, managing and optimizing data ...