Splunk Enterprise Security

SecKit with ES 6.1.1

New Member

I am trying to configure SecKit with ES 6.1.1 but I am running into an issue with the configuration I am hoping someone has completed this and can shed some light.


As an es_admin navigate to Splunk Enterprise Security
From the Configure menu select General
From the General menu select App Imports Update
Click on “update_es”
Append |(SecKit_[ST]A_.*) to the Application Regular Expression`
Click Save

When I go to the General Menu I do not see the option for App imports, I have looked around and have not seeing this at all.

If I skip this step I can run the first search: | inputlookup seckit_idm_network_masks_lookup to validate that results are there.

But when I run the next steps of saved searches I get errors.

Run the search | from savedsearch: "seckit_idm_common_assets_networks_lookup_gen" This one works fine with no issues.

Run the search | from savedsearch: "Identity - Asset String Matches - Lookup Gen"
I get the following error: Error in 'savedsearch' command: Unable to find saved search named 'Identity - Asset CIDR Matches - Lookup Gen'.

Run the search | from savedsearch: "Identity - Asset CIDR Matches - Lookup Gen"
I get the following error: Error in 'savedsearch' command: Unable to find saved search named 'Identity - Asset CIDR Matches - Lookup Gen'.

When I go to look for the searches I can not find them. I have used SecKit in the past and it was awesome I was hoping to get it up and running in Splunk 8 and ES 6.1.1.

I have SecKit_SA_idm_common 3.0.8Rbaf6f27, SecKit_SA_idm_windows 3.0.4Ra988ca6, and SecKit_TA_idm_windows 1.0.3R4bb45a7 all installed.

0 Karma


Hi kbrazil899,

I was having the same issue as you and finally figured out. It looks like you are running ES version 6 and above.

In ES version 6 and above, they retired the saved search for "Identity - Asset String Matches - Lookup Gen" and  "Identity - Asset CIDR Matches - Lookup Gen."

You can find more information here: https://docs.splunk.com/Documentation/ES/6.2.0/Admin/Assetandidentitylookups

Instead of running saved searches, you run lookups for data to merge. You can get more info here in the how to run lookup searches: https://docs.splunk.com/Documentation/Splunk/8.0.5/Knowledge/ConfigureKVstorelookups

For the saved searches above, you can run 

| inputlookup asset_lookup_by_str

| inputlookup asset_lookup_by_cidr


0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In the last month, the Splunk Threat Research Team (STRT) has had 2 releases of new security content via the ...

Announcing the 1st Round Champion’s Tribute Winners of the Great Resilience Quest

We are happy to announce the 20 lucky questers who are selected to be the first round of Champion's Tribute ...

We’ve Got Education Validation!

Are you feeling it? All the career-boosting benefits of up-skilling with Splunk? It’s not just a feeling, it's ...