Export content as an app from Splunk Enterprise Security
Export content from Splunk Enterprise Security as an app from the Content Management page. Use the export option to share custom content with other ES instances, such as migrating customized searches from a development or testing environment into production. You can export any type of content on the Content Management page, such as correlation searches, glass tables, and views.
By default, only admin users can export content. To add the export capability to another role, see Adding capabilities to a role in the Installation and Upgrade Manual.
- From the ES menu bar, select Configure > Content Management.
- Select the check boxes of the content you want to export.
- Click Edit Selection and select Export.
- Type an App name. This will be the name of the app in the file system.
For example, SOC_custom. - Select an App name prefix. If you want to import the content back into Splunk Enterprise Security without modifying the default app import conventions, select DA-ESS-. Otherwise, select No Prefix.
- Type a Label. This is the name of the app.
For example, Custom SOC app. - Type a Version and Build number for your app.
- Click Export.
- Click Download app now to download the app package to the search head at the location
$SPLUNK_HOME/etc/apps/SA-Utils/local/data/appmaker/*
. - Click Close to return to Content Management.
Limitations to exported content
Exported content may not work on older versions of Enterprise Security. For example, the following items are included or not included in exported content.
Included in exported content
- Content exported from the Content Management page includes only the
savedsearches.conf
,correlationsearches.conf
, andgovernance.conf
settings for the selected objects. - Alert actions and response actions, including risk assignments, script names, and email addresses.
Not included in exported content
- Macros, script files, lookups, or any binary files referenced by the search object.
- Extreme Search objects, such as the context generating search, the contexts, or the concepts referenced by the search object.
Configuring correlation searches | Set up adaptive response actions in |
This documentation applies to the following versions of Splunk® Enterprise Security: 4.5.0, 4.5.1, 4.5.2, 4.5.3
Feedback submitted, thanks!