Content Management
You can use the Content Management page to display, configure, and edit the correlation searches, key indicators, saved searches, and entity investigator searches unique to Splunk Enterprise Security.
Actions
Browse to Configure > Content Management. The Actions column provides several options depending on the type of content.
- Enable or disable a correlation search.
- Change a correlation search between scheduled and real-time searching.
- Accelerate a key indicator search.
See Configure correlation searches.
Export Search content
The Content Management page provides an export option that collects selected searches into a custom app for download. Use the export option to share custom content with other ES instances, such as migrating customized searches from a development or testing environment into production.
By default, only admin users can export content. To add the export capability to another role, see Adding capabilities to a role in the Installation and Upgrade Manual.
- Select the search content to export by clicking the selection box next to each search object.
- Open Edit Selection and choose Export.
- On the Export Searches Into An App page, fill out the App Name, Label, Version, and Build number fields. If you intend to import the content back into Enterprise Security, the App Name field must conform to the app import naming conventions. For more information, see Installing add-ons in the Installation and Upgrade Manual.
- Click Export.
- After a dialog box appears indicating "Content successfully exported", click Download app now to retrieve the app. The app is an archive file with the extension
.spl
. - Click Close to return to the Content Management page.
Limitations to exported content
Exported content will only include the savedsearches.conf
, correlationsearches.conf
, and governance.conf
settings for the selected objects. Any other artifacts referenced directly or indirectly will not be included.
Examples:
- Exported content will include all defined alert actions, such as risk assignments, script names, and email addresses.
- Exported content will remain on the search head after downloading, stored in the path:
$SPLUNK_HOME/etc/apps/SA-Utils/local/data/appmaker/*
. - Exported content will not include macros, script files, lookups, or any binary files referenced by the search object.
- Exported content will not include Extreme Search objects, such as the context generating search, the contexts, or the concepts referenced by the search object.
- Exported content may not work on older versions of Enterprise Security.
Configuration Settings | Configure lists and lookups |
This documentation applies to the following versions of Splunk® Enterprise Security: 4.2.0 Cloud only, 4.2.1 Cloud only, 4.2.2 Cloud only
Feedback submitted, thanks!