Hi,
I am trying to add a tag for my logs to be CIM compliant/use in Email datamodel.
The tag does being applied in "Search&Reporting" app, however, it is not applied to my other apps e.g. Enterprise Security.
I created a TA called TA_test with eventtypes.conf and tags.conf in the local folder, the following are how my eventtypes.conf and tags.conf looks like:
eventtypes.conf
[testemail]
search = index=emailgateway sourcetype=gateway:email
tags.conf
[eventtype=testemail]
email = enabled
delivery = enabled
content = enabled
filter = enabled
I also have metadata folder where it set the app to be global:
default.meta
Application-level permissions
[]
access = read : [ * ], write : [ admin, power ]
export = system
Can anyone please let me know if I'm missing something?
Best Regards,
Johan
Hi,
I found the problem.
The app name does not comply with ES.
it has to be either Splunk_TA_[appname] or TA-[appname]
We can check the requirement for app name in ../SplunkEnterpriseSecuritySuite/default/inputs.conf:
[app_imports_update://update_es]
app_regex = (appsbrowser)|(search)|([ST]A-.)|(Splunk_[ST]A_.)|(DA-ESS-.)|(Splunk_DA-ESS_.)
app_exclude_regex = sideview_utils
app_include_list = Splunk_DA-ESS_PCICompliance
apps_to_update = (SA-.)|(Splunk_SA_.)
Then we can refresh the splunk config.
Regards,
Johan
Hi,
I found the problem.
The app name does not comply with ES.
it has to be either Splunk_TA_[appname] or TA-[appname]
We can check the requirement for app name in ../SplunkEnterpriseSecuritySuite/default/inputs.conf:
[app_imports_update://update_es]
app_regex = (appsbrowser)|(search)|([ST]A-.)|(Splunk_[ST]A_.)|(DA-ESS-.)|(Splunk_DA-ESS_.)
app_exclude_regex = sideview_utils
app_include_list = Splunk_DA-ESS_PCICompliance
apps_to_update = (SA-.)|(Splunk_SA_.)
Then we can refresh the splunk config.
Regards,
Johan
For documentation on the naming convention and how to import custom apps that don't meet that convention, see http://docs.splunk.com/Documentation/ES/4.7.4/Install/ImportCustomApps