UPDATE
I'm changing my answer. DON'T DO THIS. As martin and esix pointed out, it's not a good idea to break the standard way of using ES.
Just try to understand why eventtype didn't show up in ES only, since Splunk doesn't tell you exactly why. I guess I should have more focused on explaining the reason.
If the eventtype configuration was added in search app then it would have worked because search app is included in the dependency path.
If the custom TA name followed the convention like "TA-foo" (instead of TA_foo) then it would have worked because ES will recognize it.
Anyway, always use CIM comparable add-ons and ask for PS if you need any customization.
l'll keep my previous answer below in case somebody might make similar mistakes.
It seems that Enterprise Security has a dependency on it’s apps and add-ons. If you go to $SPLUNK_HOME/etc/apps/SplunkEnterpriseSecuritySuite/metadata and open up default.meta file, you’ll see attribute named “import”. This attribute is not documented in default.meta.conf
But it is pretty obvious if you follow the import dependency through ES to DA to SA to TA that your custom add-on, which is a TA, should be added to some SA. For those who don’t now, DA stands for Domain Add-on, SA for Support Add-on and TA for Technology Add-on.
I’ve added my 'TA_foo' in Splunk_SA_CIM by modifying $SPLUNK_HOME/etc/apps/Splunk_SA_CIM/metadata/local.meta like below and how it works fine. (Just add ', TA_foo' at the end of import attribute)
[]
access = read : [ * ], write : [ admin ]
export = system
version = 6.3.1
modtime = 1449612718.015126000
import = DA-ESS-AccessProtection, DA-ESS-EndpointProtection, DA-ESS-IdentityManagement, DA-ESS-NetworkProtection, DA-ESS-ThreatIntelligence, SA-AccessProtection, SA-AuditAndDataProtection, SA-EndpointProtection, SA-IdentityManagement, SA-NetworkProtection, SA-ThreatIntelligence, SA-UEBA, SA-Utils, Splunk_DA-ESS_PCICompliance, Splunk_SA_CIM, Splunk_SA_ExtremeSearch, Splunk_TA_bluecoat-proxysg, Splunk_TA_bro, Splunk_TA_flowfix, Splunk_TA_juniper, Splunk_TA_mcafee, Splunk_TA_nessus, Splunk_TA_nix, Splunk_TA_oracle, Splunk_TA_ossec, Splunk_TA_paloalto, Splunk_TA_sophos, Splunk_TA_sourcefire, Splunk_TA_symantec-ep, Splunk_TA_ueba, Splunk_TA_windows, TA-airdefense, TA-alcatel, TA-cef, TA-fireeye, TA-fortinet, TA-ftp, TA-ncircle, TA-nmap, TA-rsa, TA-tippingpoint, TA-trendmicro, TA-websense, search, TA_foo
Restart Splunk or call https://splunk_host:8000/en_US/debug/refresh to make changes effective.
To check whether ES now recognizes your eventtypes, go to Settings > Event Types and search your eventtype with App context selected to Enterprise Security.
... View more