Import custom apps and add-ons to Splunk Enterprise Security
You can extend the functionality of Splunk Enterprise Security with apps and add-ons. Download apps and add-ons from Splunkbase or create your own add-on with a tool such as the Splunk Add-on Builder. Splunk Cloud customers must work with Splunk Support to install add-ons on search heads.
Use the Update ES modular input
Splunk Enterprise Security integrates the configurations of apps and add-ons installed on the same search head. The Update ES modular input is responsible for importing all apps and add-ons that match a regex filter. The filter is defined in the app path SplunkEnterpriseSecuritySuite/default/inputs.conf
.
Modular input | Function |
---|---|
app_imports_update://update_es | Imports and updates the metadata for supporting add-ons. |
app_imports_update://update_es_da | Imports and updates the metadata for domain add-ons. |
app_imports_update://update_es_main | Imports and updates the metadata for the SplunkEnterpriseSecuritySuite. |
Imports are transitive
App imports are transitive. This means that an app (A) that imports another app (B), also imports all of the apps (C) imported by that app.
- If app A imports B,
- and app B imports C,
- then A imports C.
Because supporting add-ons import each other, you might see only one supporting add-on with an updated local.meta
file. This is SA-AccessProtection
, as it is the first supporting add-on in the list of apps.
View existing app imports
Use the |rest
search commands to view the existing app imports. You must have Splunk administrator permissions to run the command.
For example, to view the imports for the SplunkEnterpriseSecuritySuite
app while authenticated as the admin user:
| rest /servicesNS/admin/system/apps/local/SplunkEnterpriseSecuritySuite/import splunk_server=local | fields import
App and add-on import naming conventions
The modular inputs will automatically import apps and add-ons prefixed with any of the following: DA-ESS-
, SA-
, TA-
, Splunk_SA_
, Splunk_TA_
, and Splunk_DA-ESS_
.
Import add-ons with a different naming convention
If your custom add-on does not use the typical ES naming conventions, you must add the name or a naming convention to the import modular input.
- On the Enterprise Security toolbar, browse to Configure > General and select App Imports Update.
- Edit the
update_es
input. - Update the Application Regular Expression field, adding the naming convention of your add-on to the list of supported naming conventions using a regex.
- For example, to import a new add-on named
My_datasource
update the Application Regular Expression field to:(appsbrowser)|(search)|([ST]A-.*)|(Splunk_[ST]A_.*)|(DA-ESS-.*)|(Splunk_DA-ESS_.*)|(My_datasource)
- When changing the Application Regular Expression field, always append to the default regex or the existing app imports will fail.
- For example, to import a new add-on named
- Save.
- Preview the changes
|rest services/data/inputs/app_imports_update | table title app_regex app_exclude_regex updated
- Restart Splunk Enterprise services to incorporate the changes.
Remove an add-on from app import
Exclude an add-on from the app import process.
- On the Enterprise Security toolbar, browse to Configure > General and select App Imports Update.
- Edit the
update_es
input. - Update the Application Exclusion Regular Expression field, adding the naming convention of your add-on to the list of supported naming conventions using a regex.
- For example, to exclude a new add-on named
TA_new_test
update the Application Exclusion Regular Expression field to:|TA_new_test
- For example, to exclude a new add-on named
- Save.
- Preview the changes
|rest services/data/inputs/app_imports_update | table title app_regex app_exclude_regex updated
- Restart Splunk Enterprise services to incorporate the changes.
Deploy add-ons included with Splunk Enterprise Security | Integrate Splunk Stream with Splunk Enterprise Security |
This documentation applies to the following versions of Splunk® Enterprise Security: 4.7.0, 4.7.1, 4.7.2, 4.7.3, 4.7.4, 4.7.5, 4.7.6, 5.0.0, 5.0.1, 5.1.0, 5.1.1, 5.2.0, 5.2.1, 5.2.2
Feedback submitted, thanks!