Add-ons and CIM
Splunk add-ons are most commonly used to bring a new data source into the Splunk platform. Most add-on developers design their add-ons to be used with the Splunk Common Information Model (CIM) in order to work with the larger Splunk ecosystem. Splunk-developed add-ons provide the field extractions, lookups, and event types needed to map data to the CIM, allowing customers to easily use the new data source in data models, pivots, and CIM-based apps.
The Splunk Common Information Model add-on is not required to use add-on features such as data collection, prebuilt panels, or custom commands. You can use individual add-ons on their own, without installing the CIM add-on, if you do not want to map their data to the CIM.
To take advantage of the CIM mappings provided in an add-on, install the Splunk Common Information Model add-on to your search heads. The Splunk Common Information Model add-on is packaged with CIM-based apps such as Splunk Enterprise Security and the Splunk App for PCI Compliance. If you are using an add-on in conjunction with one of these apps, you do not need to install the Splunk Common Information Model add-on separately. However, the Splunk Common Information Model add-on is not packaged with all apps that are designed to use the CIM. In order to use data from an add-on with an app that relies on the CIM, you need to install the Splunk Common Information Model add-on.
A full list of apps that work with the Splunk Common Information Model is available on Splunkbase.
About Splunk add-ons
Source types for add-ons
This documentation applies to the following versions of Splunk® Supported Add-ons: released
Feedback submitted, thanks!