I'm attempting to create a new correlation search in Splunk Enterprise Security (4.1). I've created a blank app to house all the custom searches, but when I pick the app from the "Application Context" drop-down menu, the message "Unmanaged App has been selected" shows up beside my selection.
Anyone know what a "managed app" means in the context of ES?
I made sure to use an app name that gets "imported" into the ES eco system (example: SA-CLIENT-ES-Searches) but that doesn't seem to be what "managed" means.
Good question, @Lowell. You are likely running into known issue SOLNESS-10022, fixed in 4.1.2 (and therefore also in 4.1.3). (I didn't see the known issue listed in the known issues table for 4.1.1, so I added it there for reference).
Previously we warned on "unmanaged" app selection to warn people that they were selecting an app that wasn't automatically imported into ES. However, we changed the drop-down behavior to make sure that only apps imported into ES displayed, so that messaging was no longer needed.
Good question, @Lowell. You are likely running into known issue SOLNESS-10022, fixed in 4.1.2 (and therefore also in 4.1.3). (I didn't see the known issue listed in the known issues table for 4.1.1, so I added it there for reference).
Previously we warned on "unmanaged" app selection to warn people that they were selecting an app that wasn't automatically imported into ES. However, we changed the drop-down behavior to make sure that only apps imported into ES displayed, so that messaging was no longer needed.
Thanks for the reply. Very helpful to know.
So is the error just in a bogus warning (which I'm fine with ignoring) or does it break things too? (Upgrading will take weeks to jump through all the right (corp-imposed) hoops, looking to see if there's a work around that will work now.)
I'm also running into issues where (1) the "App" field is not populated for my custom correlation searches created in SA-CLIENT-ES-Searches, (2) Attempting to edit these correlation search takes me to a "Loading" page that never loads, (3) The correlation searches show up on the "Security Posture" and "Incident Review" pages as "Audit - MY SEARCH - Report" (instead of just "MY SEARCH"), and (4) my custom attributes like notable title and description don't show up on the "Incident Review" page.
Do any of these other issues sound like the same problem that the upgrade will fix, or a symptoms of a permissions issue?
I think all the "import" voodoo is working, but I'm on SHC and and I had to kick it in the head to get them to update properly. But if this sounds like a permissions issue I'll review it all again more carefully.
If I run | rest splunk_server=local /services/alerts/correlationsearches
from the main ES app, I don't see the searches from my custom app.
Doh, I figured it out! Metadata issue on the SA-CLIENT-ES-Searches app. I wasn't exporting. (I forgot that you had to, I was thinking that if your import it, you don't have to export globally, but I guess that's wrong.)
Note that import
is STILL not documented on http://docs.splunk.com/Documentation/Splunk/6.5.0/Admin/Defaultmetaconf
Looks like that has solved most of the issues above, sill seeing the "Audit - * - Report" format name in a few places, but I'm going to give that some time to see if it will go away on it's own (possible cached?). Hopefully the new events will come in properly.
And I'll get the ES upgrade on the list! Thanks!
Glad everything worked out for you! Would it be worth it to update the docs with a reminder to export the metadata for custom apps that you're importing?
Yes, that would be helpful! Last night I sent over a request to the docs team about documenting "import" feature on the "default.meta.conf" page as well. Thanks!