Splunk® Enterprise Security

Installation and Upgrade Manual

Download manual as PDF

This documentation does not apply to the most recent version of ES. Click here for the latest version.
Download topic as PDF

Import custom apps and add-ons to Splunk Enterprise Security

You can extend the functionality of Splunk Enterprise Security with apps and add-ons. Download apps and add-ons from Splunkbase or create your own add-on with a tool such as the Splunk Add-on Builder. Splunk Cloud customers must work with Splunk Support to install add-ons on search heads.

Use the Update ES modular input

Splunk Enterprise Security integrates the configurations of apps and add-ons installed on the same search head. The Update ES modular input is responsible for importing all apps and add-ons that match a regex filter. The filter is defined in the app path SplunkEnterpriseSecuritySuite/default/inputs.conf.

Modular input Function
app_imports_update://update_es Imports and updates the metadata for supporting add-ons.
app_imports_update://update_es_da Imports and updates the metadata for domain add-ons.
app_imports_update://update_es_main Imports and updates the metadata for the SplunkEnterpriseSecuritySuite.

Imports are transitive

App imports are transitive. This means that an app (A) that imports another app (B), also imports all of the apps (C) imported by that app.

  1. If app A imports B,
  2. and app B imports C,
  3. then A imports C.

Because supporting add-ons import each other, you might see only one supporting add-on with an updated local.meta file. This is SA-AccessProtection, as it is the first supporting add-on in the list of apps.

View existing app imports

Use the |rest search commands to view the existing app imports. You must have Splunk administrator permissions to run the command. For example, to view the imports for the SplunkEnterpriseSecuritySuite app while authenticated as the admin user:

| rest /servicesNS/admin/system/apps/local/SplunkEnterpriseSecuritySuite/import splunk_server=local | fields import

App and add-on import naming conventions

The modular inputs will automatically import apps and add-ons prefixed with any of the following: DA-ESS-, SA-, TA-, Splunk_SA_, Splunk_TA_, and Splunk_DA-ESS_.

Import add-ons with a different naming convention

If your custom add-on does not use the typical ES naming conventions, you must add the name or a naming convention to the import modular input.

  1. On the Enterprise Security toolbar, browse to Configure > General and select App Imports Update.
  2. Edit the update_es input.
  3. Update the Application Regular Expression field, adding the naming convention of your add-on to the list of supported naming conventions using a regex.
    1. For example, to import a new add-on named My_datasource update the Application Regular Expression field to:
      (appsbrowser)|(search)|([ST]A-.*)|(Splunk_[ST]A_.*)|(DA-ESS-.*)|(Splunk_DA-ESS_.*)|(My_datasource)
    2. When changing the Application Regular Expression field, always append to the default regex or the existing app imports will fail.
  4. Save.
  5. Preview the changes

    |rest services/data/inputs/app_imports_update | table title app_regex app_exclude_regex updated

  6. Restart Splunk Enterprise services to incorporate the changes.

Remove an add-on from app import

Exclude an add-on from the app import process.

  1. On the Enterprise Security toolbar, browse to Configure > General and select App Imports Update.
  2. Edit the update_es input.
  3. Update the Application Exclusion Regular Expression field, adding the naming convention of your add-on to the list of supported naming conventions using a regex.
    1. For example, to exclude a new add-on named TA_new_test update the Application Exclusion Regular Expression field to: |TA_new_test
  4. Save.
  5. Preview the changes

    |rest services/data/inputs/app_imports_update | table title app_regex app_exclude_regex updated

  6. Restart Splunk Enterprise services to incorporate the changes.
PREVIOUS
Deploy add-ons included with Splunk Enterprise Security
  NEXT
Integrate Splunk Stream with Splunk Enterprise Security

This documentation applies to the following versions of Splunk® Enterprise Security: 4.7.0, 4.7.1, 4.7.2, 4.7.3, 4.7.4, 4.7.5, 4.7.6, 5.0.0, 5.0.1, 5.1.0, 5.1.1, 5.2.0, 5.2.1, 5.2.2


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters