Splunk® Enterprise Security

Use Splunk Enterprise Security

Splunk Enterprise Security version 4.2.x is available only to Splunk Cloud subscribers.
This documentation does not apply to the most recent version of Splunk® Enterprise Security. For documentation on the most recent version, go to the latest release.

Content Management

You can use the Content Management page to display, configure, and edit the correlation searches, key indicators, saved searches, and entity investigator searches unique to Splunk Enterprise Security.

Actions

Browse to Configure > Content Management. The Actions column provides several options depending on the type of content.

  • Enable or disable a correlation search.
  • Change a correlation search between scheduled and real-time searching.
  • Accelerate a key indicator search.

See Configure correlation searches.

Export Search content

The Content Management page provides an export option that collects selected searches into a custom app for download. Use the export option to share custom content with other ES instances, such as migrating customized searches from a development or testing environment into production.

By default, only admin users can export content. To add the export capability to another role, see Adding capabilities to a role in the Installation and Upgrade Manual.

  1. Select the search content to export by clicking the selection box next to each search object.
  2. Open Edit Selection and choose Export.
  3. On the Export Searches Into An App page, fill out the App Name, Label, Version, and Build number fields. If you intend to import the content back into Enterprise Security, the App Name field must conform to the app import naming conventions. For more information, see Installing add-ons in the Installation and Upgrade Manual.
  4. Click Export.
  5. After a dialog box appears indicating "Content successfully exported", click Download app now to retrieve the app. The app is an archive file with the extension .spl.
  6. Click Close to return to the Content Management page.

Limitations to exported content

Exported content will only include the savedsearches.conf, correlationsearches.conf, and governance.conf settings for the selected objects. Any other artifacts referenced directly or indirectly will not be included.

Examples:

  • Exported content will include all defined alert actions, such as risk assignments, script names, and email addresses.
  • Exported content will remain on the search head after downloading, stored in the path: $SPLUNK_HOME/etc/apps/SA-Utils/local/data/appmaker/*.
  • Exported content will not include macros, script files, lookups, or any binary files referenced by the search object.
  • Exported content will not include Extreme Search objects, such as the context generating search, the contexts, or the concepts referenced by the search object.
  • Exported content may not work on older versions of Enterprise Security.
Last modified on 10 October, 2016
Configuration Settings   Configure lists and lookups

This documentation applies to the following versions of Splunk® Enterprise Security: 4.2.0 Cloud only, 4.2.1 Cloud only, 4.2.2 Cloud only


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters