Splunk Enterprise Security

Splunk Enterprise Security Content Update and ES documentation inconsequence


User Guide for ESCU version 3.0.5 (https://docs.splunk.com/Documentation/ESSOC/3.0.5/user/ConfigureSplunkEnterpriseSecurity(ES)touseMLT...) refers to ES User Guide version 5.2.2 (https://docs.splunk.com/Documentation/ES/5.2.2/Install/ImportCustomApps#Import_add-ons_with_a_differ...) on how to install Custom Apps, in this case MLTK. 

The problem is, the same ES User Guide for current ES version (6.2.0) does not exist. I tried to follow the ESCU guide and configure "App Imports Update" but was unable to edit "update_es" input.

Shouldn't this be updated? What is the correct configuration of MLTK for ESCU?

0 Karma

Enterprise Security doesn't have the app import feature in version 6+. Apps are imported based on their security settings like with other Splunk apps.
Also, ES uses MLTK by default so there's no need to configure it to do so.
If this reply helps you, an upvote would be appreciated.
Take the 2021 Splunk Career Survey

Help us learn about how Splunk has
impacted your career by taking the 2021 Splunk Career Survey.

Earn $50 in Amazon cash!