Splunk Enterprise Security

What is a managed app in Splunk Enterprise Security?

Lowell
Super Champion

I'm attempting to create a new correlation search in Splunk Enterprise Security (4.1). I've created a blank app to house all the custom searches, but when I pick the app from the "Application Context" drop-down menu, the message "Unmanaged App has been selected" shows up beside my selection.

Anyone know what a "managed app" means in the context of ES?

I made sure to use an app name that gets "imported" into the ES eco system (example: SA-CLIENT-ES-Searches) but that doesn't seem to be what "managed" means.

0 Karma
1 Solution

smoir_splunk
Splunk Employee
Splunk Employee

Good question, @Lowell. You are likely running into known issue SOLNESS-10022, fixed in 4.1.2 (and therefore also in 4.1.3). (I didn't see the known issue listed in the known issues table for 4.1.1, so I added it there for reference).

Previously we warned on "unmanaged" app selection to warn people that they were selecting an app that wasn't automatically imported into ES. However, we changed the drop-down behavior to make sure that only apps imported into ES displayed, so that messaging was no longer needed.

View solution in original post

smoir_splunk
Splunk Employee
Splunk Employee

Good question, @Lowell. You are likely running into known issue SOLNESS-10022, fixed in 4.1.2 (and therefore also in 4.1.3). (I didn't see the known issue listed in the known issues table for 4.1.1, so I added it there for reference).

Previously we warned on "unmanaged" app selection to warn people that they were selecting an app that wasn't automatically imported into ES. However, we changed the drop-down behavior to make sure that only apps imported into ES displayed, so that messaging was no longer needed.

Lowell
Super Champion

Thanks for the reply. Very helpful to know.

So is the error just in a bogus warning (which I'm fine with ignoring) or does it break things too? (Upgrading will take weeks to jump through all the right (corp-imposed) hoops, looking to see if there's a work around that will work now.)

I'm also running into issues where (1) the "App" field is not populated for my custom correlation searches created in SA-CLIENT-ES-Searches, (2) Attempting to edit these correlation search takes me to a "Loading" page that never loads, (3) The correlation searches show up on the "Security Posture" and "Incident Review" pages as "Audit - MY SEARCH - Report" (instead of just "MY SEARCH"), and (4) my custom attributes like notable title and description don't show up on the "Incident Review" page.

Do any of these other issues sound like the same problem that the upgrade will fix, or a symptoms of a permissions issue?

I think all the "import" voodoo is working, but I'm on SHC and and I had to kick it in the head to get them to update properly. But if this sounds like a permissions issue I'll review it all again more carefully.

0 Karma

Lowell
Super Champion

If I run | rest splunk_server=local /services/alerts/correlationsearches from the main ES app, I don't see the searches from my custom app.

Doh, I figured it out! Metadata issue on the SA-CLIENT-ES-Searches app. I wasn't exporting. (I forgot that you had to, I was thinking that if your import it, you don't have to export globally, but I guess that's wrong.)

Note that import is STILL not documented on http://docs.splunk.com/Documentation/Splunk/6.5.0/Admin/Defaultmetaconf

Looks like that has solved most of the issues above, sill seeing the "Audit - * - Report" format name in a few places, but I'm going to give that some time to see if it will go away on it's own (possible cached?). Hopefully the new events will come in properly.

And I'll get the ES upgrade on the list! Thanks!

0 Karma

smoir_splunk
Splunk Employee
Splunk Employee

Glad everything worked out for you! Would it be worth it to update the docs with a reminder to export the metadata for custom apps that you're importing?

0 Karma

Lowell
Super Champion

Yes, that would be helpful! Last night I sent over a request to the docs team about documenting "import" feature on the "default.meta.conf" page as well. Thanks!

Get Updates on the Splunk Community!

What's New in Splunk Enterprise 9.4: Features to Power Your Digital Resilience

Hey Splunky People! We are excited to share the latest updates in Splunk Enterprise 9.4. In this release we ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

SignalFlow: What? Why? How?

What is SignalFlow? Splunk Observability Cloud’s analytics engine, SignalFlow, opens up a world of in-depth ...