Splunk Enterprise Security

Why does Enterprise Security 3.0 not see the tags or field aliases properly in Splunk 6.0 or 6.1?

chrishatfield21
Path Finder

I have Splunk Enterprise 6.1, I've had the same issue on 6.0, and Enterprise Security 3.0 running. I pull in a datasource like normal and everything is looking good until I create tags and field aliases. If I create them in the Search and Reporting app, or any other as long as it is not ES, and I share them globally with everyone having read permissions ES does not see the tags. I can search in any app other then ES and the tags work. If I search inside the ES app context with the same search as before it does not produce any results. The field aliases have the same behavior as the tags when searching.

0 Karma

derekarnold
Communicator

Make sure ES is importing the app properly, see this thread for more info

http://docs.splunk.com/Documentation/ES/3.3.0/Install/InstallTechnologyAdd-ons#Add_a_custom_add-on_t...

0 Karma
Get Updates on the Splunk Community!

New in Observability - Improvements to Custom Metrics SLOs, Log Observer Connect & ...

The latest enhancements to the Splunk observability portfolio deliver improved SLO management accuracy, better ...

Improve Data Pipelines Using Splunk Data Management

  Register Now   This Tech Talk will explore the pipeline management offerings Edge Processor and Ingest ...

3-2-1 Go! How Fast Can You Debug Microservices with Observability Cloud?

Register Join this Tech Talk to learn how unique features like Service Centric Views, Tag Spotlight, and ...