Splunk Enterprise Security

Why is my Custom Tag not applying to all the applications?

johant
Explorer

Hi,

I am trying to add a tag for my logs to be CIM compliant/use in Email datamodel.
The tag does being applied in "Search&Reporting" app, however, it is not applied to my other apps e.g. Enterprise Security.
I created a TA called TA_test with eventtypes.conf and tags.conf in the local folder, the following are how my eventtypes.conf and tags.conf looks like:

eventtypes.conf

[testemail]
search = index=emailgateway sourcetype=gateway:email

tags.conf

[eventtype=testemail]
email = enabled
delivery = enabled
content = enabled
filter = enabled

I also have metadata folder where it set the app to be global:
default.meta

    Application-level permissions
[]
access = read : [ * ], write : [ admin, power ]
export = system

Can anyone please let me know if I'm missing something?

Best Regards,
Johan

0 Karma
1 Solution

johant
Explorer

Hi,

I found the problem.
The app name does not comply with ES.
it has to be either Splunk_TA_[appname] or TA-[appname]

We can check the requirement for app name in ../SplunkEnterpriseSecuritySuite/default/inputs.conf:

[app_imports_update://update_es]
app_regex = (appsbrowser)|(search)|([ST]A-.)|(Splunk_[ST]A_.)|(DA-ESS-.)|(Splunk_DA-ESS_.)
app_exclude_regex = sideview_utils
app_include_list = Splunk_DA-ESS_PCICompliance
apps_to_update = (SA-.)|(Splunk_SA_.)

Then we can refresh the splunk config.

Regards,
Johan

View solution in original post

0 Karma

johant
Explorer

Hi,

I found the problem.
The app name does not comply with ES.
it has to be either Splunk_TA_[appname] or TA-[appname]

We can check the requirement for app name in ../SplunkEnterpriseSecuritySuite/default/inputs.conf:

[app_imports_update://update_es]
app_regex = (appsbrowser)|(search)|([ST]A-.)|(Splunk_[ST]A_.)|(DA-ESS-.)|(Splunk_DA-ESS_.)
app_exclude_regex = sideview_utils
app_include_list = Splunk_DA-ESS_PCICompliance
apps_to_update = (SA-.)|(Splunk_SA_.)

Then we can refresh the splunk config.

Regards,
Johan

0 Karma

rpille_splunk
Splunk Employee
Splunk Employee

For documentation on the naming convention and how to import custom apps that don't meet that convention, see http://docs.splunk.com/Documentation/ES/4.7.4/Install/ImportCustomApps

Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...