Splunk® Enterprise Security

Administer Splunk Enterprise Security

Export content from Splunk Enterprise Security as an app

Export content from Splunk Enterprise Security as an app from the Content Management page. Use the export option to share custom content with other ES instances, such as migrating customized searches from a development or testing environment into production. You can export any type of content on the Content Management page, such as detections, data models, and views.

By default, only admin users can export content. To add the export capability to another role, see Adding capabilities to a role in the Installation and Upgrade Manual.

  1. From the ES menu bar, select Security content then Content management.
  2. Select the check boxes of the content you want to export.
  3. Select Edit Selection and select Export.
  4. Type an App name. This will be the name of the app in the file system.
    For example, SOC_custom.
  5. Select an App name prefix. If you want to import the content back into Splunk Enterprise Security without modifying the default app import conventions, select DA-ESS-. Otherwise, select No Prefix.
  6. Type a Label. This is the name of the app.
    For example, Custom SOC app.
  7. Type a Version and Build number for your app.
  8. Select Export.
  9. Select Download app now to download the app package to the search head at the location $SPLUNK_HOME/etc/apps/SA-Utils/local/data/appmaker/*.
  10. Select Close to return to Content Management.

Limitations to exported content

Exported content may not work on older versions of Enterprise Security. The following items are included or not included in exported content.

Exported item Included in export Not included in export
Data models datamodels.conf and data model JSON definition. N/A
Saved searches, including detections, key indicator, and swim lane searches savedsearches.conf
governance.conf
Alert actions and response actions, including risk assignments, script names, and email addresses.
Macros, script files, lookups, or any binary files referenced by the search object. Extreme Search objects, such as the context generating search, the contexts, or the concepts referenced by the search object.
Search-driven lookups savedsearches.conf
governance.conf
managed_configurations.conf
collections.conf
transforms.conf
Macros, script files, lookups, or any binary files referenced by the search object.
Managed lookups The lookup CSV file.
managed_configurations.conf
collections.conf
transforms.conf
N/A
Views The XML or HTML, CSS, and JS files for the view. N/A
Sequence Template app.conf and sequence_templates.conf for all the selected templates. The sequenced events themselves are not exported, but saved in the sequenced_events index.
Risk factors risk_factors.conf N/A
Last modified on 22 August, 2024
Create and manage views in Splunk Enterprise Security   Create and manage lookups in Splunk Enterprise Security

This documentation applies to the following versions of Splunk® Enterprise Security: 8.0.0, 8.0.1


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters