Splunk Enterprise Security

Why is my Custom Tag not applying to all the applications?

Explorer

Hi,

I am trying to add a tag for my logs to be CIM compliant/use in Email datamodel.
The tag does being applied in "Search&Reporting" app, however, it is not applied to my other apps e.g. Enterprise Security.
I created a TA called TA_test with eventtypes.conf and tags.conf in the local folder, the following are how my eventtypes.conf and tags.conf looks like:

eventtypes.conf

[testemail]
search = index=emailgateway sourcetype=gateway:email

tags.conf

[eventtype=testemail]
email = enabled
delivery = enabled
content = enabled
filter = enabled

I also have metadata folder where it set the app to be global:
default.meta

    Application-level permissions
[]
access = read : [ * ], write : [ admin, power ]
export = system

Can anyone please let me know if I'm missing something?

Best Regards,
Johan

0 Karma
1 Solution

Explorer

Hi,

I found the problem.
The app name does not comply with ES.
it has to be either Splunk_TA_[appname] or TA-[appname]

We can check the requirement for app name in ../SplunkEnterpriseSecuritySuite/default/inputs.conf:

[app_imports_update://update_es]
app_regex = (appsbrowser)|(search)|([ST]A-.)|(Splunk_[ST]A_.)|(DA-ESS-.)|(Splunk_DA-ESS_.)
app_exclude_regex = sideview_utils
app_include_list = Splunk_DA-ESS_PCICompliance
apps_to_update = (SA-.)|(Splunk_SA_.)

Then we can refresh the splunk config.

Regards,
Johan

View solution in original post

0 Karma

Explorer

Hi,

I found the problem.
The app name does not comply with ES.
it has to be either Splunk_TA_[appname] or TA-[appname]

We can check the requirement for app name in ../SplunkEnterpriseSecuritySuite/default/inputs.conf:

[app_imports_update://update_es]
app_regex = (appsbrowser)|(search)|([ST]A-.)|(Splunk_[ST]A_.)|(DA-ESS-.)|(Splunk_DA-ESS_.)
app_exclude_regex = sideview_utils
app_include_list = Splunk_DA-ESS_PCICompliance
apps_to_update = (SA-.)|(Splunk_SA_.)

Then we can refresh the splunk config.

Regards,
Johan

View solution in original post

0 Karma

Splunk Employee
Splunk Employee

For documentation on the naming convention and how to import custom apps that don't meet that convention, see http://docs.splunk.com/Documentation/ES/4.7.4/Install/ImportCustomApps