Release notes for the Splunk Common Information Model Add-on
Version 4.10.0 of the Splunk Common Information Model Add-on was released on February 13, 2018.
New features
Version 4.10.x of the Splunk Common Information Model Add-on includes the following new features.
- In the Certificates data model, if values for the
common_name
field are not defined or extracted, the values are filled with the stringunknown
. Because of this change, update any searches that includecommon_name!=*
tocommon_name="unknown"
. - In the Splunk Audit Logs data model, a new
search_alias
field exists to record a description of the search being run, such as the name of the search.
Upgrade requirements
Splunk platform version | Upgrade activity |
---|---|
6.6.X or later | If you apply custom tags to data mapped to CIM data models and you use these tags in searches and search filters, add these tags to the whitelists for those models. See Set up the Splunk Common Information Model Add-on for details about the tags whitelist field. |
6.5.X or earlier | No upgrade activity required. |
Compatibility
Version 4.10.x of the Splunk Common Information Model Add-on requires Splunk platform version 6.5.x or later. Some functions on the CIM setup page, such as the accelerate until max time setting, are only available in version 6.6.x and later.
Fixed issues
This version of the Splunk Common Information Model Add-on fixes the following issues.
Date resolved | Issue number | Description |
---|---|---|
2017-11-03 | CIM-583 | Network Resolution data model has multiple references to reply_code_id field |
2017-09-18 | CIM-571, CIM-577 | Python logging is not user-timezone agnostic. |
Known issues
This version of the Splunk Common Information Model Add-on has the following reported known issues.
Date filed | Issue number | Description |
---|---|---|
2018-12-19 | CIM-785 | index=_internal was not properly removed from tag=modaction |
2018-12-05 | CIM-784 | Common Action Model calculates info_file incorrectly when using per-result alerting |
2018-03-29 | CIM-645 | CIM doesn't support multi-value tcp flags in the network traffic data model |
2018-01-10 | CIM-616 | CIM 4.8+ causes "guided search" build_id errors in Enterprise Security. Workaround: Upgrade to Enterprise Security 4.7.x or higher |
2016-09-16 | CIM-428, SPL-128919 | sendalert reflects owner="system" for adhoc action invocations |
2014-07-07 | CIM-169 | Remote search log warning messages from acceleration due to long search strings Workaround: Turn off truncation on indexers in etc/system/local/props.conf as shown:
|
Deprecated features
- As of version 4.5.0, the index definition
cim_summary
is deprecated and is only used to support backward compatibility with upgraded versions of Enterprise Security. The index definition will be removed in a future release. - Several configurations are deprecated and will be removed in a future release.
`search_activity`
macro`search_typer`
macrodatamodel_for_audittrail
transformsavedsearch_name_for_audittrail
transformuser_for_audittrail
transform
Third-party software attributions
The Splunk Common Information Model Add-on does not incorporate any third-party software or libraries.
Set up the Splunk Common Information Model Add-on | Support and resource links for the Splunk Common Information Model Add-on |
This documentation applies to the following versions of Splunk® Common Information Model Add-on: 4.10.0
Feedback submitted, thanks!