Splunk® Common Information Model Add-on

Common Information Model Add-on Manual

This documentation does not apply to the most recent version of Splunk® Common Information Model Add-on. For documentation on the most recent version, go to the latest release.

Release notes for the Splunk Common Information Model Add-on

New features

Version 4.1.0 of the Splunk Common Information Model Add-on includes the following new features:

Resolved date Issue number Description
10/14/14 CIM-202 Add category, business unit, and location attributes to Alerts, Databases, Interprocess_Messaging, Network_Sessions, Splunk_Audit, and Ticket_Management.
09/30/14 CIM-217 Add cvss attribute to Vulnerability data model
09/30/14 CIM-219 Add file_size attribute to Email data model
09/18/14 CIM-214 Add "teardown" as acceptable All_Traffic.action value in Network_Traffic data model.
09/16/14 CIM-201, CIM-191, CIM-204 Added fields to the Databases data model: response_time, duration, dest_bunit, dest_category, dest_priority, src_bunit, src_category, src_priority, user_bunit, user_category, user_priority, query, records_affected, and moved user field to top level of model.
09/10/14 CIM-192 Add duration and response_time to the following data models: Authentication, Certificates, Databases, Email, Interprocess Communication, Network Resolution, Network Sessions, Network Traffic, Web.
09/08/14 CIM-10 Add Network Resolution (DNS) data model.
09/05/14 CIM-178 Add Certificates data model.
09/04/14 CIM-200 Add macro to populate a list of all email protocols.
09/04/14 CIM-199 Add way to check if a given set of web domains are cloud domains.

Fixed issues

Version 4.1.0 of the Splunk Common Information Model Add-on fixes the following issues:

Resolved date Defect number Description
11/05/14 CIM-244 Confusion between fields protocol, ip_version, and transport in Network Traffic data model. ip_version changed to protocol_version; both protocol and protocol_version now typed as strings.
10/28/14 CIM-212 Databases data model now uses vendor_product rather than vendor and product, for consistency with other models.
10/27/14 CIM-230 Reduce object hierarchy in Network_Traffic and Web data models to improve performance.
10/23/14 CIM-235 Data model required attributes have empty string values. Should be corrected to "unknown".
10/17/14 CIM-233 Network Sessions data model is not getting accelerated, Data model audit shows error "Error in 'eval' command: The arguments to the 'case' function are invalid."
10/16/14 CIM-232 Error in model "Network_Sessions" : Error in 'DataModelEvaluator': JSON for model 'Network_Sessions' is invalid.
10/15/14 CIM-231 "Cached" attribute missing from Web data model.
10/14/14 CIM-229 Make recipient_count default to 1 for Email datamodel.
10/10/14 CIM-223 Pivot: Pivot page throws error "Error in model "Service_Management" : Error in 'DataModelEvaluator': JSON for model 'Service_Management' is invalid."
08/13/14 CIM-185 Splunk_Audit model has a dependency it should not have on TA-splunk.
07/31/14 CIM-180 Fix spelling of received in interprocess messaging.
07/31/14 CIM-173 Make "response_time" a number and optional.
05/23/14 CIM-141 Database model needs to expose an mv field "tag"

Known issues

Version 4.1.0 of the Splunk Common Information Model Add-on has the following known issues:

Date Defect number Description
11/12/14 CIM-252 Field "entry" for Network Resolution data model is not needed and should be removed.
11/12/14 CIM-251 Field "time_submitted" in Ticket Management data model should be a time, not a string.
11/06/14 CIM-248 Field "file_size" in Change Analysis data model should be a number, not a string.
11/05/14 CIM-247 Field "icmp_type" in Network Traffic data model should be a number, not a string.
10/24/14 CIM-252 BaseEvent object hierarchy makes accelerated search unwieldy.
10/03/14 CIM-221 Field extraction should avoid variable keys whenever possible.
10/03/14 CIM-220 Event types should avoid KV whenever possible.
07/07/14 CIM-169 Remote search log warning messages from acceleration due to long search strings. Workaround: turn off truncation on indexers in etc/system/local/props.conf as shown:

[splunkd_remote_searches]

TRUNCATE = 0

10/11/13 CIM-85 Inconsistent use of url and uri in Web data model fields.

Third-party software attributions

Version 4.1.0 of the Splunk Common Information Model Add-on does not incorporate any third-party software or libraries.

Last modified on 16 September, 2016
Install the Splunk Common Information Model Add-on   Support and resource links for the Splunk Common Information Model Add-on

This documentation applies to the following versions of Splunk® Common Information Model Add-on: 4.1.0

Acrobat logo Download manual
Acrobat logo Download this page

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters