Splunk Enterprise Security

Why is my Custom Tag not applying to all the applications?

johant
Explorer

Hi,

I am trying to add a tag for my logs to be CIM compliant/use in Email datamodel.
The tag does being applied in "Search&Reporting" app, however, it is not applied to my other apps e.g. Enterprise Security.
I created a TA called TA_test with eventtypes.conf and tags.conf in the local folder, the following are how my eventtypes.conf and tags.conf looks like:

eventtypes.conf

[testemail]
search = index=emailgateway sourcetype=gateway:email

tags.conf

[eventtype=testemail]
email = enabled
delivery = enabled
content = enabled
filter = enabled

I also have metadata folder where it set the app to be global:
default.meta

    Application-level permissions
[]
access = read : [ * ], write : [ admin, power ]
export = system

Can anyone please let me know if I'm missing something?

Best Regards,
Johan

0 Karma
1 Solution

johant
Explorer

Hi,

I found the problem.
The app name does not comply with ES.
it has to be either Splunk_TA_[appname] or TA-[appname]

We can check the requirement for app name in ../SplunkEnterpriseSecuritySuite/default/inputs.conf:

[app_imports_update://update_es]
app_regex = (appsbrowser)|(search)|([ST]A-.)|(Splunk_[ST]A_.)|(DA-ESS-.)|(Splunk_DA-ESS_.)
app_exclude_regex = sideview_utils
app_include_list = Splunk_DA-ESS_PCICompliance
apps_to_update = (SA-.)|(Splunk_SA_.)

Then we can refresh the splunk config.

Regards,
Johan

View solution in original post

0 Karma

johant
Explorer

Hi,

I found the problem.
The app name does not comply with ES.
it has to be either Splunk_TA_[appname] or TA-[appname]

We can check the requirement for app name in ../SplunkEnterpriseSecuritySuite/default/inputs.conf:

[app_imports_update://update_es]
app_regex = (appsbrowser)|(search)|([ST]A-.)|(Splunk_[ST]A_.)|(DA-ESS-.)|(Splunk_DA-ESS_.)
app_exclude_regex = sideview_utils
app_include_list = Splunk_DA-ESS_PCICompliance
apps_to_update = (SA-.)|(Splunk_SA_.)

Then we can refresh the splunk config.

Regards,
Johan

0 Karma

rpille_splunk
Splunk Employee
Splunk Employee

For documentation on the naming convention and how to import custom apps that don't meet that convention, see http://docs.splunk.com/Documentation/ES/4.7.4/Install/ImportCustomApps

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...