Splunk® Enterprise Security

Use Splunk Enterprise Security

Splunk Enterprise Security version 4.6.x is available only to Splunk Cloud subscribers.
This documentation does not apply to the most recent version of Splunk® Enterprise Security. For documentation on the most recent version, go to the latest release.

Export content as an app from Splunk Enterprise Security

Export content from Splunk Enterprise Security as an app from the Content Management page. Use the export option to share custom content with other ES instances, such as migrating customized searches from a development or testing environment into production. You can export any type of content on the Content Management page, such as correlation searches, glass tables, and views.

By default, only admin users can export content. To add the export capability to another role, see Adding capabilities to a role in the Installation and Upgrade Manual.

  1. From the ES menu bar, select Configure > Content Management.
  2. Select the check boxes of the content you want to export.
  3. Click Edit Selection and select Export.
  4. Type an App name. This will be the name of the app in the file system.
    For example, SOC_custom.
  5. Select an App name prefix. If you want to import the content back into Splunk Enterprise Security without modifying the default app import conventions, select DA-ESS-. Otherwise, select No Prefix.
  6. Type a Label. This is the name of the app.
    For example, Custom SOC app.
  7. Type a Version and Build number for your app.
  8. Click Export.
  9. Click Download app now to download the app package to the search head at the location $SPLUNK_HOME/etc/apps/SA-Utils/local/data/appmaker/*.
  10. Click Close to return to Content Management.

Limitations to exported content

Exported content may not work on older versions of Enterprise Security. For example, the following items are included or not included in exported content.

Included in exported content

  • Content exported from the Content Management page includes only the savedsearches.conf, correlationsearches.conf, and governance.conf settings for the selected objects.
  • Alert actions and response actions, including risk assignments, script names, and email addresses.

Not included in exported content

  • Macros, script files, lookups, or any binary files referenced by the search object.
  • Extreme Search objects, such as the context generating search, the contexts, or the concepts referenced by the search object.
Last modified on 30 November, 2016
Configuring correlation searches   Set up adaptive response actions in

This documentation applies to the following versions of Splunk® Enterprise Security: 4.6.0 Cloud only


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters