Splunk® Common Information Model Add-on

Common Information Model Add-on Manual

This documentation does not apply to the most recent version of Splunk® Common Information Model Add-on. For documentation on the most recent version, go to the latest release.

Release notes for the Splunk Common Information Model Add-on

Version 4.11.0 of the Splunk Common Information Model Add-on was released on May 14, 2018.

New features

Version 4.11.x of the Splunk Common Information Model Add-on includes the following new features.

  • The Common Action Model has been enhanced allow "required" fields to be specified for a given action. See alert_actions.conf.spec for more details.
  • The "spent" attribute has been added to Splunk_Audit.View_Activity to represent the amount of time it took in milliseconds to load the view.

Upgrade requirements

Splunk platform version Upgrade activity
6.6.X or later If you apply custom tags to data mapped to CIM data models and you use these tags in searches and search filters, add these tags to the whitelists for those models. See Set up the Splunk Common Information Model Add-on for details about the tags whitelist field.

Compatibility

Version 4.11.x of the Splunk Common Information Model Add-on requires Splunk platform version 6.5.x or later. Some functions on the CIM setup page, such as the accelerate until max time setting, are only available in version 6.6.x and later.

Fixed issues

This version of the Splunk Common Information Model Add-on fixes the following issues.


Known issues

This version of the Splunk Common Information Model Add-on has the following reported known issues.

Date filed Issue number Description
2019-09-16 CIM-869 Adhoc Modular Actions: Splunk users with spaces in their name unable to dispatch adhoc actions
2019-03-01 CIM-797 CIM Setup Page on Splunk Enterprise 7.2 shows navigation items from other app
2018-12-19 CIM-785 index=_internal was not properly removed from tag=modaction
2018-12-05 CIM-784 Common Action Model calculates info_file incorrectly when using per-result alerting
2018-05-23 CIM-660 CIM Setup: setting name refinement

Workaround:
The work around for this would be to set the earliest time and summary data to one of the summary ranges drop down but if the customer wants a customized time then they would only adjust the earliest time and verify that is what is applied to the config.
2018-03-29 CIM-645 CIM doesn't support multi-value tcp flags in the network traffic data model
2014-07-07 CIM-169 Remote search log warning messages from acceleration due to long search strings

Workaround:
Turn off truncation on indexers in etc/system/local/props.conf as shown:

[splunkd_remote_searches]
TRUNCATE = 0

Deprecated features

  • As of version 4.11.0, the index definition cim_summary has been removed.
  • Several configurations are deprecated and will be removed in a future release.
    • `search_activity` macro
    • `search_typer` macro
    • datamodel_for_audittrail transform
    • savedsearch_name_for_audittrail transform
    • user_for_audittrail transform

Third-party software attributions

The Splunk Common Information Model Add-on does not incorporate any third-party software or libraries.

Last modified on 17 September, 2019
Set up the Splunk Common Information Model Add-on   Support and resource links for the Splunk Common Information Model Add-on

This documentation applies to the following versions of Splunk® Common Information Model Add-on: 4.11.0

Acrobat logo Download manual
Acrobat logo Download this page

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters