Install the Splunk Common Information Model Add-on
- Download the Common Information Model add-on from Splunkbase at https://apps.splunk.com/app/1621/.
- Review the indexes defined in CIM.
cim_summaryindex definition is deprecated, but is included for backwards compatibility with upgraded versions of Splunk Enterprise Security and the Splunk App for PCI Compliance.
cim_modactionsindex definition is used with the common action model alerts and auditing. Assign the appropriate Roles to search the index.
- Install the Splunk Common Information Model Add-on to your search heads only. Installing this add-on to indexers results in redundant data model acceleration overhead if acceleration is enabled.
Refer to Installing add-ons for detailed instructions describing how to install a Splunk add-on in the following deployment scenarios:
Next: See Set up the Splunk Common Information Model Add-on to perform optional configurations to improve performance.
Overview of the Splunk Common Information Model
Set up the Splunk Common Information Model Add-on
This documentation applies to the following versions of Splunk® Common Information Model Add-on: 4.7.0, 4.8.0, 4.9.0, 4.9.1, 4.10.0, 4.11.0