Splunk® Enterprise Security

Installation and Upgrade Manual

Acrobat logo Download manual as PDF

This documentation does not apply to the most recent version of ES. Click here for the latest version.
Acrobat logo Download topic as PDF

Install add-ons

The Splunk App for Enterprise Security solution includes a number of predefined add-ons to work with the data you want to monitor. The add-ons provide the feeds to get data from different sources, and also provide search-time knowledge maps to normalize the data for use within the app. Add-ons ensure that the data is correctly consumed by the Splunk App for Enterprise Security.

Steps for installing add-ons

Use the Splunk Apps manager to configure or add add-ons to your deployment.

Find an add-on

To find an add-on to add:

  1. Click Splunk in the upper-left corner of the dashboard to go to Splunk Home.
  2. Click Apps next to Splunk in the menu bar.
  3. From the drop-down menu, select Manage Apps.
  4. Select Find more apps online. Browse the list of apps; many can be can be installed for free.
  5. Select the app to be installed.
  6. In the Upload an app panel, browse for the location of the app, select it, and click Upload.

Note: Before you install a new add-on, be sure that the add-on is compatible with the Splunk App for Enterprise Security.

Add an add-on from a local file

To add an add-on locally:

  1. Click Splunk in the upper-left corner of the dashboard to go to Splunk Home.
  2. Click Apps next to Splunk in the menu bar.
  3. From the drop-down menu, select Manage Apps.
  4. Select Install app from file.
  5. In the Upload an app panel, browse for the location of the app, select it, and click Upload.

Edit an existing add-on

To edit an existing add-on:

  1. Click Splunk in the upper-left corner of the dashboard to go to Splunk Home.
  2. Click Apps next to Splunk in the menu bar.
  3. From the drop-down menu, select Manage Apps.
  4. Select the app from the list of apps available.
  5. Click Edit Properties for the app you want to configure. When you are finished, click Save.

Using Manage Apps allows you to modify properties commonly found in the app.conf file for the app. You cannot modify any other .conf files associated with the app in this section.

Note: Do not click Create app on the Manage Apps > Apps page. Apps for the Splunk App for Enterprise Security need to be created and configured slightly differently.

To create a custom add-on to capture and map your data, see the Data Source Integration Manual.

Add a custom add-on to an app

The Splunk App for Enterprise Security includes a modular input to update your add-ons or add custom add-ons with unique naming conventions. There are a couple of ways to update or add add-ons in your deployment:

Run setup to update the list of add-ons

When you run setup on the Splunk App for Enterprise Security from Manage Apps, the module automatically imports any add-ons with the following the naming conventions:

TA-*
Splunk_TA_* 
  1. Go to Apps > Manage Apps > Enterprise Security > Setup.
  2. Click OK.
  3. Restart Splunk to incorporate the changes.

Imports are transitive

App imports are transitive; meaning than an app (A) that imports another app (B), also imports all of the apps (C) imported by that app.

In other words:

  1. If app A imports B,
  2. and app B imports C,
  3. then A imports C.

Since supporting add-ons import each other, you may see only one supporting add-on with an updated local.meta file. This is usually SA-AccessProtection, since it is the first supporting add-on in the list of apps.

View current app imports

View the current app imports by using the "rest" search command.

Note: You need to have administrator permissions to run the command.

This example views the imports for the SA-EndpointProtection application:

| rest /servicesNS/nobody/system/apps/local/SA-EndpointProtection/import | fields import

Modify this code sample to view the imports of another app.

Import add-ons with a different naming convention

To add a new add-on's naming convention, you need to modify the regular expression (regex) used by the app import updater. To do this:

1. Edit or create the app_regex field in $SPLUNK_HOME/etc/apps/SplunkEnterpriseSecuritySuite/local/inputs.conf for the "app_imports_update://update_es" stanza.

2. Make the necessary changes in your app_imports_update://update_es stanza.

For example, the app "test" has been added to this stanza:

# Update the meta-data

[app_imports_update://update_es]

app_regex = (TA-.*)|(Splunk_TA_.*)|(sideview_utils)|(SplunkEnterpriseSecuritySuite)|(DA-.*)|(SA-.*)|(test)

3. Save your changes.

4. Restart Splunk to incorporate the changes.

Remove an add-on from app import

To remove an add-on from app import:

1. Edit SplunkEnterpriseSecuritySuite/local/inputs.conf and use a regex string that filters away the imported add-on.

For example, here you block Splunk_TA_windows by adding a "w":

[app_imports_update://update_es]
app_regex = (TA-.*)|(Splunk_TA_w.*)|(sideview_utils)|
(SplunkEnterpriseSecuritySuite)|(DA-.*)|(SA-.*)|(test)

2. Restart Splunk to incorporate the changes.

Determine which add-ons to deploy

Not all add-ons must be installed on the indexers, only those that perform operations at index time. Review the README ($SPLUNK_HOME/etc/apps/TA-<vendor/product>/README) associated with the add-on you are deploying to determine if it includes index-time operations. If it does not include index-time operations, then no further action is necessary.

If there are index-time operations that require the add-on, deploy it with the deployment server, using the instructions found in "About deployment server" in the Distributed Deployment Manual, part of the core Splunk documentation.

Note: If there is no README, you can look at the configuration files. An add-on includes index-time operations if any of the following appear in the default/props.conf file in the apps directory:

* SHOULD_LINEMERGE
* LINE_BREAKER
* TIME_PREFIX
* TIME_FORMAT
* TZ
* TRANSFORMS-<x>=<y>
Last modified on 18 November, 2013
PREVIOUS
Install the app manually
  NEXT
Steps to configure

This documentation applies to the following versions of Splunk® Enterprise Security: 3.0, 3.0.1


Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters