Splunk Enterprise Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Migrate ES correlation rules to a custom app

soumyasaha25
Contributor
‎09-15-2021 03:10 AM

I would have to move my custom Correlation rules  to a custom TA-foo app

My correlation searches comprises of:

  1. custom rules created from scratch (all across the apps estate - yup, its a mess) and
  2. a few of the OOB CRs from the DA-ESS-SA-TA-Splunk_SA_Splunk_TA_, and Splunk_DA-ESS_  apps that were modified as per my requirement

Are there any best practices/recommendations that i need to consider other than 

  1.  Add import = TA-foo in local.meta in <Splunk_HOME>/etc/apps/SplunkEnterpriseSecuritySuite/metadata
  2. add request.ui_dispatch_app = SplunkEnterpriseSecuritySuite in savedsearches.conf for each of the Correlation searches that i migrate

PS: I will also migrate the dependant KOs (macros/lookups etc) in a similar fashion to the TA-foo add on.

Is there any other better way to go about it, just to be future safe for upgrades, so that i have a single touchpoint rather than running after optimisations in each app after any activity such as a version upgrade .

Splunk version 7.3.0

ES version 5.3.1

Labels (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

lakshman239
Influencer
‎09-15-2021 06:20 AM

@soumyasaha25  Normally, if you have access to the UI, You should be able to move/clone the correlation search/knowledge objects  (KO) from one app to another app. This would move all the dependent KO's as well. But if you have a lot to do and have access to conf files, you can copy the contents from diff apps to your new custom app and delete after testing/validation. You don't need to add import in local.meta, as you can make your app's permission to 'global/system'. ES no longer selectively imports app/TA/SA-*.  

You can have dispatch context as ES if you want. 

Test/check splunkd.logs/btool for any errors after migration and restarting the instances.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

lakshman239
Influencer
‎09-15-2021 06:20 AM

@soumyasaha25  Normally, if you have access to the UI, You should be able to move/clone the correlation search/knowledge objects  (KO) from one app to another app. This would move all the dependent KO's as well. But if you have a lot to do and have access to conf files, you can copy the contents from diff apps to your new custom app and delete after testing/validation. You don't need to add import in local.meta, as you can make your app's permission to 'global/system'. ES no longer selectively imports app/TA/SA-*.  

You can have dispatch context as ES if you want. 

Test/check splunkd.logs/btool for any errors after migration and restarting the instances.

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Get the T-shirt to Prove You Survived Splunk University Bootcamp

As if Splunk University, in Las Vegas, in-person, with three days of bootcamps and labs weren’t enough, now ...

Wondering How to Build Resiliency in the Cloud?

IT leaders are choosing Splunk Cloud as an ideal cloud transformation platform to drive business resilience,  ...