Splunk Enterprise Security
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why is my Custom Tag not applying to all the applications?

johant
Explorer
‎02-11-2018 04:13 PM

Hi,

I am trying to add a tag for my logs to be CIM compliant/use in Email datamodel.
The tag does being applied in "Search&Reporting" app, however, it is not applied to my other apps e.g. Enterprise Security.
I created a TA called TA_test with eventtypes.conf and tags.conf in the local folder, the following are how my eventtypes.conf and tags.conf looks like:

eventtypes.conf

[testemail]
search = index=emailgateway sourcetype=gateway:email

tags.conf

[eventtype=testemail]
email = enabled
delivery = enabled
content = enabled
filter = enabled

I also have metadata folder where it set the app to be global:
default.meta

    Application-level permissions
[]
access = read : [ * ], write : [ admin, power ]
export = system

Can anyone please let me know if I'm missing something?

Best Regards,
Johan

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

johant
Explorer
‎02-11-2018 04:43 PM

Hi,

I found the problem.
The app name does not comply with ES.
it has to be either Splunk_TA_[appname] or TA-[appname]

We can check the requirement for app name in ../SplunkEnterpriseSecuritySuite/default/inputs.conf:

[app_imports_update://update_es]
app_regex = (appsbrowser)|(search)|([ST]A-.)|(Splunk_[ST]A_.)|(DA-ESS-.)|(Splunk_DA-ESS_.)
app_exclude_regex = sideview_utils
app_include_list = Splunk_DA-ESS_PCICompliance
apps_to_update = (SA-.)|(Splunk_SA_.)

Then we can refresh the splunk config.

Regards,
Johan

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

johant
Explorer
‎02-11-2018 04:43 PM

Hi,

I found the problem.
The app name does not comply with ES.
it has to be either Splunk_TA_[appname] or TA-[appname]

We can check the requirement for app name in ../SplunkEnterpriseSecuritySuite/default/inputs.conf:

[app_imports_update://update_es]
app_regex = (appsbrowser)|(search)|([ST]A-.)|(Splunk_[ST]A_.)|(DA-ESS-.)|(Splunk_DA-ESS_.)
app_exclude_regex = sideview_utils
app_include_list = Splunk_DA-ESS_PCICompliance
apps_to_update = (SA-.)|(Splunk_SA_.)

Then we can refresh the splunk config.

Regards,
Johan

0 Karma
Reply
Solved! Jump to solution

rpille_splunk
Splunk Employee
Splunk Employee
‎02-12-2018 09:32 AM

For documentation on the naming convention and how to import custom apps that don't meet that convention, see http://docs.splunk.com/Documentation/ES/4.7.4/Install/ImportCustomApps

Reply
Get Updates on the Splunk Community!

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

Splunk Enterprise Security 8.x: The Essential Upgrade for Threat Detection, ...

Watch On Demand the Tech Talk on November 6 at 11AM PT, and empower your SOC to reach new heights! Duration: ...

Splunk Observability as Code: From Zero to Dashboard

For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...