Splunk Enterprise Security: How to configure data ...

brian1_tate · ‎11-01-2016

As I am fairly new to SHC, I seem to be getting the same message in ES when attempting to edit/view > Configure > Data Enrichment and any of the options related to Identity or anything else from the license manager and deployment server. Where is this properly configured at and can it still be done through Splunk Web or only CLI?

Current instance is running in SHC mode and is not able to add new inputs - is the message I receive when attempting to access Threat Intelligence and Identity Management but not Lists and Lookups.

Thank you!

aaraneta_splunk · ‎03-11-2017

@brian1_tate - Did the answer provided by starcher help provide a working solution to your question? If yes, please don't forget to resolve this post by clicking "Accept". If no, please leave a comment with more feedback. Thanks!

starcher · ‎02-08-2017

You cannot edit certain things in ES via the GUI when in a search head cluster. You will have to add those things (e.g. new identity and asset list files) in the application configuration files on your SHC deployer and push the changes to your cluster.

Splunk Enterprise Security: How to configure data enrichment?

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms

Updated Team Landing Page in Splunk Observability