Import custom apps and add-ons to Splunk Enterprise Security

You can extend the functionality of Splunk Enterprise Security with apps and add-ons. Download apps and add-ons from Splunkbase or create your own add-on with a tool such as the Splunk Add-on Builder. Splunk Cloud customers must work with Splunk Support to install add-ons on search heads.

Use the Update ES modular input

Splunk Enterprise Security integrates the configurations of apps and add-ons installed on the same search head. The Update ES modular input is responsible for importing all apps and add-ons that match a regex filter. The filter is defined in the app path SplunkEnterpriseSecuritySuite/default/inputs.conf.

Imports are transitive

App imports are transitive. This means that an app (A) that imports another app (B), also imports all of the apps (C) imported by that app.

1. If app A imports B,
2. and app B imports C,
3. then A imports C.

Because supporting add-ons import each other, you might see only one supporting add-on with an updated local.meta file. This is SA-AccessProtection, as it is the first supporting add-on in the list of apps.

View existing app imports

Use the |rest search commands to view the existing app imports. You must have Splunk administrator permissions to run the command. For example, to view the imports for the SplunkEnterpriseSecuritySuite app while authenticated as the admin user:

| rest /servicesNS/admin/system/apps/local/SplunkEnterpriseSecuritySuite/import splunk_server=local | fields import

App and add-on import naming conventions

The modular inputs will automatically import apps and add-ons prefixed with any of the following: DA-ESS-, SA-, TA-, Splunk_SA_, Splunk_TA_, and Splunk_DA-ESS_.

Import add-ons with a different naming convention

If your custom add-on does not use the typical ES naming conventions, you must add the name or a naming convention to the import modular input.

1. On the Enterprise Security toolbar, browse to Configure > General and select App Imports Update.
2. Edit the update_es input.
3. Update the Application Regular Expression field, adding the naming convention of your add-on to the list of supported naming conventions using a regex.
   1. For example, to import a new add-on named My_datasource update the Application Regular Expression field to:

      (appsbrowser)|(search)|([ST]A-.*)|(Splunk_[ST]A_.*)|(DA-ESS-.*)|(Splunk_DA-ESS_.*)|(My_datasource)

   2. When changing the Application Regular Expression field, always append to the default regex or the existing app imports will fail.
4. Save.
5. Preview the changes

   |rest services/data/inputs/app_imports_update | table title app_regex app_exclude_regex updated

6. Restart Splunk Enterprise services to incorporate the changes.

Remove an add-on from app import

Exclude an add-on from the app import process.

1. On the Enterprise Security toolbar, browse to Configure > General and select App Imports Update.
2. Edit the update_es input.
3. Update the Application Exclusion Regular Expression field, adding the naming convention of your add-on to the list of supported naming conventions using a regex.
   1. For example, to exclude a new add-on named TA_new_test update the Application Exclusion Regular Expression field to: |TA_new_test
4. Save.
5. Preview the changes

   |rest services/data/inputs/app_imports_update | table title app_regex app_exclude_regex updated

6. Restart Splunk Enterprise services to incorporate the changes.