Splunk® Common Information Model Add-on

Common Information Model Add-on Manual

This documentation does not apply to the most recent version of Splunk® Common Information Model Add-on. For documentation on the most recent version, go to the latest release.

Set up the Splunk Common Information Model Add-on

Visit the Splunk Common Information Model Add-on Setup page to perform optional configurations.

  • Constrain the indexes that each datamodel searches against, to improve performance.
  • Enable or adjust the acceleration of each data model.

Access the setup page by going to Apps > Manage Apps, and then clicking on Set up in the row for Splunk Common Information Model. This setup page is supported only on Splunk platform version 6.4.X or later and is only Splunk admins can make edits by default.

Set index constraints

On the Splunk Common Information Model Add-on Setup page, you can constrain the indexes that each datamodel searches against, to improve performance. By default, each data model searches all indexes. To constrain a search, click on the name of the data model and check the boxes to indicate which indexes that data model should search.

If you have constrained a data model to selected indexes and then later add another index to your environment that is also relevant to this data model, return to this page and add the new index to your constraints.

Accelerate CIM data models

You can accelerate a data model to speed up the data set represented by that data model for reporting purposes. After you accelerate a data model, your reports and dashboard panels that reference the accelerated data model will return results faster. A data model's summary range setting effects the size of the data models on disk, and the processing load of creating accelerated data alongside the index buckets. For more information about accelerating data models, see Enable data model acceleration in the Knowledge Manager Manual for Splunk Enterprise.

All data models included in the CIM add-on have data model acceleration disabled by default. If you have Splunk Enterprise Security or the Splunk App for PCI Compliance installed, some of the data models in the CIM are automatically accelerated by configuration settings in these apps. If you want to change which data models are accelerated by these apps, access the Data Model Acceleration Enforcement modular input on your search head and make your changes there. If you attempt to unaccelerate a data model using any other method, including using the Settings tab in the CIM Set Up page, your changes will not persist because the the app acceleration enforcement re-accelerates the data models automatically.

If you are using the CIM without these apps installed, you can choose to accelerate one or more of the data models manually. To enable acceleration or change acceleration parameters, click the Settings tab in the CIM Setup page.

Enable data model acceleration

Configure the acceleration parameters of the CIM data models in the CIM Setup view.

  1. In Splunk Web, go to Apps > Manage Apps
  2. Click on Set up in the row for Splunk Common Information Model.
  3. Click on the Settings tab.
  4. Select a data model that you want to accelerate.
  5. Click the box next to acceleration.enabled to accelerate the model.
  6. (Optional) Configure the advanced acceleration settings.

    Parameter Description
    acceleration.backfill_time How far back in time the Splunk platform should create its column stores, specified as a relative time string. Only set this parameter if you want to backfill less data than the retention period set by 'acceleration.earliest_time'. Refer to datamodels.conf.spec for warnings and limitations.
    acceleration.earliest_time How far back in time the Splunk software should keep these column stores, specified as a relative time string.
    acceleration.max_time The maximum amount of time that the column store creation search is allowed to run, in seconds.
    acceleration.max_concurrent The maximum number of concurrent acceleration instances for this data model that the scheduler is allowed to run.
    acceleration.manual_rebuilds When checked, this setting prevents outdated summaries from being rebuilt by the 'summarize' command. Admins can manually rebuild a data model through the Data Model Manager page by expanding the row for the affected data model and clicking Rebuild.
    acceleration.schedule_priority Raises the scheduling priority of a summary search, as follows:
    • default: No scheduling priority increase.
    • higher: Scheduling priority is higher than other data model searches.
    • highest: Scheduling priority is higher than other searches regardless of scheduling tier, except real-time-scheduled searches with priority = highest always have priority over all other searches.

    This field is only available in Splunk platform 6.5.X or later.

    For more detailed reference information on these fields, see Advanced configurations for persistently accelerated data models in the Knowledge Manager Manual in the Splunk Enterprise documentation.
  7. Click Save.

For more information about accelerated data models and data model acceleration jobs, see Check the status of data model accelerations in this topic.

Disable acceleration for a data model

If you have Splunk Enterprise Security or the Splunk App for PCI Compliance installed, some of the data models in the CIM are automatically accelerated by configuration settings in these apps. If you want to change which data models are accelerated by these apps, access the Data Model Acceleration Enforcement modular input on your search head and make your changes there. If you attempt to unaccelerate a data model using any other method, including using the Settings tab in the CIM Setup page, your changes will not persist because the the app acceleration enforcement re-accelerates the data models automatically.

If you do not have an app installed that enforces any CIM data models to be accelerated, you can edit the acceleration settings on the CIM Setup page.

  1. In Splunk Web, go to Apps > Manage Apps.
  2. Click on Set up in the row for Splunk Common Information Model.
  3. Click on the Settings tab.
  4. Select the data model for which you want to disable acceleration.
  5. Uncheck the box next to acceleration.enabled to stop accelerating this data model.
  6. Click Save.

Change the summary range for data model accelerations

A data model's summary range setting affects the size of the data models on disk, and the processing load of creating accelerated data alongside the index buckets.

  1. In Splunk Web, go to Apps > Manage Apps.
  2. Find the Splunk Common Information Model add-on.
  3. Click Set up to open the CIM Setup page.
  4. Click the Settings tab.
  5. Select the data model you want to change.
  6. Set a summary range:
    1. Review the acceleration.enabled setting. A summary range only applies to accelerated data models.
    2. Review the acceleration.earliest_time setting to determine the current summary range.
    3. Change the acceleration.earliest_time setting. Examples: -1y, -3mon, -1mon, -1w, -1d, or 0 for "All Time".
  7. Select Save.

The CIM Setup page will only display CIM data models. A custom data model will not be displayed and cannot have its settings changed from the CIM Setup page. To change the summary range or other settings on a custom data model, manually edit the datamodels.conf provided with the app or add-on. For more information, see the datamodels.conf spec file in the Splunk Enterprise Admin Manual.

Check the status of data model accelerations

Use the Data Model Audit dashboard to display information about the state of data model accelerations in your environment. Alternatively, use the `cim_datamodelinfo` macro to search the data model statuses from the search bar.

To access the dashboard:

  1. Go to the Search and Reporting app.
  2. In the menu bar, click Dashboards.
  3. Select the Data Model Audit dashboard.
Panel Description
Top Accelerations By Size Displays the accelerated data models sorted in descending order by MB on disk
Top Accelerations By Run Duration Displays the accelerated data models sorted in descending order by the time spent on running acceleration tasks.
Acceleration Details Displays a table of the accelerated data models with additional information.
Last modified on 10 March, 2017
Install the Splunk Common Information Model Add-on   Release notes for the Splunk Common Information Model Add-on

This documentation applies to the following versions of Splunk® Common Information Model Add-on: 4.7.0


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters