Hi, I'm using Security enterprise but the datamodels intrusion and malware are not working but if I use the app search I see results.
Can anyone help me?
I upload the result for the same search on different app.
My guess would be that your app that is responsible for providing the eventtype/tags of ids and attack, does not meet the naming requirements of the App Imports regex in ES.
| rest /services/apps/local/SplunkEnterpriseSecuritySuite/import splunk_server=local
| rename title AS master
| fields master, import
| mvexpand import
| join type=left import [| rest /services/apps/local splunk_server=local
| fields title, disabled | rename title AS import]
If you app is not listed here proceed to
a. renaming your app so the regex picks it up
b. modifying the regex so it can pick up your non-standard naming convention.
You can modify the regex in the UI under settings/data inputs/ App Imports or via conf file... Here is the default example... /opt/splunk/etc/apps/SplunkEnterpriseSecuritySuite/default/inputs.conf
app_regex = (appsbrowser)|(search)|([ST]A-.*)|(Splunk_[ST]A_.*)|(DA-ESS-.*)|(Splunk_DA-ESS_.*)
app_exclude_regex = sideview_utils
app_include_list = Splunk_DA-ESS_PCICompliance
apps_to_update = (SA-.*)|(Splunk_SA_.*)
# Leave this disabled, this input will be enabled in setup
disabled = 1
interval = 60
Hope this helps: Here is a link the docs on this:
View solution in original post