Splunk Enterprise Security

Splunk enterprise security add-on nomenclature

Communicator

Hi guys,
I am developing an addon for Splunk ES and I'm a little bit confused about the name I have to give to the folder of that addon.

It seems (as here) that I have to name the folder as TA-APPNAME, but under the Splunk ES apps folder I have some other addons named as Splunk_TA_APPNAME (Splunk_TA_windows, Splunk_TA_mcafee..).
Which is the correct one?

And another question: I see that I have many other kind of pattern in my apps directory, as SA-, DA-ESS-. What are they?

thanks!

1 Solution

Splunk Employee
Splunk Employee

Splunk supported TA's are taking on the name Splunk_TA_appname, and the SA / DA names are based on the functionality of the ES app as described in the documentation at :

http://docs.splunk.com/Documentation/ES/latest/Install/ESArchitecture

You can name your's both TA-appname or Splunk_TA_appname and it will get imported.

View solution in original post

Contributor

Splunk Docs link for "Naming conventions for apps and add-ons on Splunkbase" : http://docs.splunk.com/Documentation/Splunkbase/latest/Splunkbase/Namingguidelines

Mitesh.

Communicator

thanks but it doesn't answer to my question 🙂 I was asking about the name of the folder, not the app/addon name

0 Karma

Splunk Employee
Splunk Employee

Splunk supported TA's are taking on the name Splunk_TA_appname, and the SA / DA names are based on the functionality of the ES app as described in the documentation at :

http://docs.splunk.com/Documentation/ES/latest/Install/ESArchitecture

You can name your's both TA-appname or Splunk_TA_appname and it will get imported.

View solution in original post

Communicator

thanks a lot for your fast answer. What does it mean "splunk supported TA"? It means that if I'm developing an addon by myself without Splunk "collaboration" I should name it as TA-*, right?

0 Karma

Splunk Employee
Splunk Employee

Any app with the TA-appname or Splunk_TA_appname is automatically imported into ES. Additionally, Splunk supported means the TAs released and officially supported via support contracts with Splunk.

0 Karma

Communicator

Thanks a lot 🙂

0 Karma