- Splunk Answers
- :
- Splunk Premium Solutions
- :
- Security Premium Solutions
- :
- Splunk Enterprise Security
- :
- Migrate ES correlation rules to a custom app
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I would have to move my custom Correlation rules to a custom TA-foo app
My correlation searches comprises of:
- custom rules created from scratch (all across the apps estate - yup, its a mess) and
- a few of the OOB CRs from the DA-ESS-, SA-, TA-, Splunk_SA_, Splunk_TA_, and Splunk_DA-ESS_ apps that were modified as per my requirement
Are there any best practices/recommendations that i need to consider other than
- Add import = TA-foo in local.meta in <Splunk_HOME>/etc/apps/SplunkEnterpriseSecuritySuite/metadata
- add request.ui_dispatch_app = SplunkEnterpriseSecuritySuite in savedsearches.conf for each of the Correlation searches that i migrate
PS: I will also migrate the dependant KOs (macros/lookups etc) in a similar fashion to the TA-foo add on.
Is there any other better way to go about it, just to be future safe for upgrades, so that i have a single touchpoint rather than running after optimisations in each app after any activity such as a version upgrade .
Splunk version 7.3.0
ES version 5.3.1
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@soumyasaha25 Normally, if you have access to the UI, You should be able to move/clone the correlation search/knowledge objects (KO) from one app to another app. This would move all the dependent KO's as well. But if you have a lot to do and have access to conf files, you can copy the contents from diff apps to your new custom app and delete after testing/validation. You don't need to add import in local.meta, as you can make your app's permission to 'global/system'. ES no longer selectively imports app/TA/SA-*.
You can have dispatch context as ES if you want.
Test/check splunkd.logs/btool for any errors after migration and restarting the instances.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@soumyasaha25 Normally, if you have access to the UI, You should be able to move/clone the correlation search/knowledge objects (KO) from one app to another app. This would move all the dependent KO's as well. But if you have a lot to do and have access to conf files, you can copy the contents from diff apps to your new custom app and delete after testing/validation. You don't need to add import in local.meta, as you can make your app's permission to 'global/system'. ES no longer selectively imports app/TA/SA-*.
You can have dispatch context as ES if you want.
Test/check splunkd.logs/btool for any errors after migration and restarting the instances.
.conf24 | Registration Open!
ICYMI - Check out the latest releases of Splunk Edge Processor
Introducing the 2024 SplunkTrust!
