Splunk Enterprise Security

Splunk Enterprise Security: How to configure data enrichment?

brian1_tate
Path Finder

As I am fairly new to SHC, I seem to be getting the same message in ES when attempting to edit/view > Configure > Data Enrichment and any of the options related to Identity or anything else from the license manager and deployment server. Where is this properly configured at and can it still be done through Splunk Web or only CLI?

Current instance is running in SHC mode and is not able to add new inputs - is the message I receive when attempting to access Threat Intelligence and Identity Management but not Lists and Lookups.

Thank you!

0 Karma

aaraneta_splunk
Splunk Employee
Splunk Employee

@brian1_tate - Did the answer provided by starcher help provide a working solution to your question? If yes, please don't forget to resolve this post by clicking "Accept". If no, please leave a comment with more feedback. Thanks!

0 Karma

starcher
Influencer

You cannot edit certain things in ES via the GUI when in a search head cluster. You will have to add those things (e.g. new identity and asset list files) in the application configuration files on your SHC deployer and push the changes to your cluster.

Get Updates on the Splunk Community!

Prove Your Splunk Prowess at .conf25—No Prereqs Required!

Your Next Big Security Credential: No Prerequisites Needed We know you’ve got the skills, and now, earning the ...

Splunk Observability Cloud's AI Assistant in Action Series: Observability as Code

This is the sixth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...

Splunk Answers Content Calendar, July Edition I

Hello Community! Welcome to another month of Community Content Calendar series! For the month of July, we will ...