Export content from Splunk Enterprise Security as an app
Export content from Splunk Enterprise Security as an app from the Content Management page. Use the export option to share custom content with other ES instances, such as migrating customized searches from a development or testing environment into production. You can export any type of content on the Content Management page, such as detections, data models, and views.
By default, only admin users can export content. To add the export capability to another role, see Adding capabilities to a role in the Installation and Upgrade Manual.
- From the ES menu bar, select Security content then Content management.
- Select the check boxes of the content you want to export.
- Select Edit Selection and select Export.
- Type an App name. This will be the name of the app in the file system.
For example, SOC_custom. - Select an App name prefix. If you want to import the content back into Splunk Enterprise Security without modifying the default app import conventions, select DA-ESS-. Otherwise, select No Prefix.
- Type a Label. This is the name of the app.
For example, Custom SOC app. - Type a Version and Build number for your app.
- Select Export.
- Select Download app now to download the app package to the search head at the location
$SPLUNK_HOME/etc/apps/SA-Utils/local/data/appmaker/*
. - Select Close to return to Content Management.
Limitations to exported content
Exported content may not work on older versions of Enterprise Security. The following items are included or not included in exported content.
Exported item | Included in export | Not included in export |
---|---|---|
Data models | datamodels.conf and data model JSON definition. |
N/A |
Saved searches, including detections, key indicator, and swim lane searches | savedsearches.conf governance.conf Alert actions and response actions, including risk assignments, script names, and email addresses. |
Macros, script files, lookups, or any binary files referenced by the search object. Extreme Search objects, such as the context generating search, the contexts, or the concepts referenced by the search object. |
Search-driven lookups | savedsearches.conf governance.conf managed_configurations.conf collections.conf transforms.conf |
Macros, script files, lookups, or any binary files referenced by the search object. |
Managed lookups | The lookup CSV file. managed_configurations.conf collections.conf transforms.conf |
N/A |
Views | The XML or HTML, CSS, and JS files for the view. | N/A |
Sequence Template | app.conf and sequence_templates.conf for all the selected templates. |
The sequenced events themselves are not exported, but saved in the sequenced_events index.
|
Risk factors | risk_factors.conf
|
N/A |
Create and manage views in Splunk Enterprise Security | Create and manage lookups in Splunk Enterprise Security |
This documentation applies to the following versions of Splunk® Enterprise Security: 8.0.0, 8.0.1
Feedback submitted, thanks!