Splunk Enterprise Security

Why is my Custom Tag not applying to all the applications?

johant
Explorer

Hi,

I am trying to add a tag for my logs to be CIM compliant/use in Email datamodel.
The tag does being applied in "Search&Reporting" app, however, it is not applied to my other apps e.g. Enterprise Security.
I created a TA called TA_test with eventtypes.conf and tags.conf in the local folder, the following are how my eventtypes.conf and tags.conf looks like:

eventtypes.conf

[testemail]
search = index=emailgateway sourcetype=gateway:email

tags.conf

[eventtype=testemail]
email = enabled
delivery = enabled
content = enabled
filter = enabled

I also have metadata folder where it set the app to be global:
default.meta

    Application-level permissions
[]
access = read : [ * ], write : [ admin, power ]
export = system

Can anyone please let me know if I'm missing something?

Best Regards,
Johan

0 Karma
1 Solution

johant
Explorer

Hi,

I found the problem.
The app name does not comply with ES.
it has to be either Splunk_TA_[appname] or TA-[appname]

We can check the requirement for app name in ../SplunkEnterpriseSecuritySuite/default/inputs.conf:

[app_imports_update://update_es]
app_regex = (appsbrowser)|(search)|([ST]A-.)|(Splunk_[ST]A_.)|(DA-ESS-.)|(Splunk_DA-ESS_.)
app_exclude_regex = sideview_utils
app_include_list = Splunk_DA-ESS_PCICompliance
apps_to_update = (SA-.)|(Splunk_SA_.)

Then we can refresh the splunk config.

Regards,
Johan

View solution in original post

0 Karma

johant
Explorer

Hi,

I found the problem.
The app name does not comply with ES.
it has to be either Splunk_TA_[appname] or TA-[appname]

We can check the requirement for app name in ../SplunkEnterpriseSecuritySuite/default/inputs.conf:

[app_imports_update://update_es]
app_regex = (appsbrowser)|(search)|([ST]A-.)|(Splunk_[ST]A_.)|(DA-ESS-.)|(Splunk_DA-ESS_.)
app_exclude_regex = sideview_utils
app_include_list = Splunk_DA-ESS_PCICompliance
apps_to_update = (SA-.)|(Splunk_SA_.)

Then we can refresh the splunk config.

Regards,
Johan

0 Karma

rpille_splunk
Splunk Employee
Splunk Employee

For documentation on the naming convention and how to import custom apps that don't meet that convention, see http://docs.splunk.com/Documentation/ES/4.7.4/Install/ImportCustomApps

Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

WATCH NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If exploited, ...

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...