Splunk Enterprise Security

Splunk Enterprise Security: How to configure data enrichment?

Path Finder

As I am fairly new to SHC, I seem to be getting the same message in ES when attempting to edit/view > Configure > Data Enrichment and any of the options related to Identity or anything else from the license manager and deployment server. Where is this properly configured at and can it still be done through Splunk Web or only CLI?

Current instance is running in SHC mode and is not able to add new inputs - is the message I receive when attempting to access Threat Intelligence and Identity Management but not Lists and Lookups.

Thank you!

0 Karma

Splunk Employee
Splunk Employee

@brian1_tate - Did the answer provided by starcher help provide a working solution to your question? If yes, please don't forget to resolve this post by clicking "Accept". If no, please leave a comment with more feedback. Thanks!

0 Karma

SplunkTrust
SplunkTrust

You cannot edit certain things in ES via the GUI when in a search head cluster. You will have to add those things (e.g. new identity and asset list files) in the application configuration files on your SHC deployer and push the changes to your cluster.