Since ES filters apps imported by name (TA... ), you need to force the import by modifying the file /opt/splunk/etc/apps/SplunkEnterpriseSecuritySuite/local/inputs.conf and changing the app_regex in the stanza [app_imports_update://update_es]:
[app_imports_update://update_es]
app_regex = utbox
disabled = 0
Note that in ES versions 4.7 and later, you can do it from the interface: http://docs.splunk.com/Documentation/ES/4.7.1/Install/ImportCustomApps
Note that in ES versions 4.7 and later, you can do it from the interface: http://docs.splunk.com/Documentation/ES/4.7.1/Install/ImportCustomApps
According to some fellow splunkers, the regex should be more similar to that one:
app_regex = ([DST]A-.)|(Splunk_[DST]A_.)|(SplunkEnterpriseSecuritySuite)|(utbox)
And the answer in the already in the question 🙂
Note that this seems to cause an issue when upgrading (at least) to ES 4.0. Remove this setting before !
I'll report this issue.
Should be fixed in ES 4.0.1.