Release notes for the Splunk Common Information Model Add-on
Version 4.13.0 of the Splunk Common Information Model Add-on was released on April 2, 2019.
New features
Version 4.13.x of the Splunk Common Information Model Add-on includes the following new features.
- The
acceleration.manual_rebuildsparameters are enabled by default indatamodels.conf. This disables automatic rebuilds for persistently accelerated data models. If you need to rebuild a datamodel for a model stanza that specifiesmanual_rebuilds=trueyou should do so manually. See Manual Data Model Management in the Splunk Enterprise Knowledge Manager Manual. - The
process_guidfield now exists in all objects in the Endpoint Data Model. This is a globally unique identifier of the process assigned by the vendor product. See Endpoint. - The
splunk_idandsplunk_realmfields now exist in the All_Ticket_Management dataset in the Ticket Management Data Model. When a Splunk solution generates a notable event, or set of notable events, these fields are a standard means of tracking the unique ID associated with the solution and the event. See Ticket Management.
Upgrade requirements
| Splunk platform version | Upgrade activity |
|---|---|
| 6.6.X to 7.3.x | If you apply custom tags to data mapped to CIM data models and you use these tags in searches and search filters, add these tags to the whitelists for those models. See Set up the Splunk Common Information Model Add-on for details about the tags whitelist field. |
Compatibility
Version 4.13.x of the Splunk Common Information Model Add-on requires Splunk platform version 6.5.x or later. Some functions on the CIM setup page, such as the accelerate until max time setting, are only available in version 6.6.x and later.
Fixed issues
This version of the Splunk Common Information Model Add-on fixes the following issues.
| Date resolved | Issue number | Description |
|---|---|---|
| 2019-01-31 | CIM-785 | index=_internal was not properly removed from tag=modaction |
| 2018-12-20 | CIM-784 | Common Action Model calculates info_file incorrectly when using per-result alerting |
| 2018-11-15 | CIM-778, SOLNESS-14831 | Excessive log rotation error on Windows for correlationmigration_rest_handler.log file, required manual roll of file |
| 2018-10-10 | CIM-645 | CIM doesn't support multi-value tcp flags in the network traffic data model |
Known issues
This version of the Splunk Common Information Model Add-on has the following reported known issues.
| Date filed | Issue number | Description |
|---|---|---|
| 2019-09-16 | CIM-869 | Adhoc Modular Actions: Splunk users with spaces in their name unable to dispatch adhoc actions |
| 2019-04-30 | CIM-813 | Fields with leading uppercase do not MV properly Workaround: Use fieldname starting with lowercase letter for multivalue fields instead |
| 2019-03-01 | CIM-797 | CIM Setup Page on Splunk Enterprise 7.2 shows navigation items from other app |
Deprecated features
As of version 4.13.0:
- N/A
As of version 4.12.0:
- The modaction_invocations_rest_handler.py (alerts/modaction_invocations) has been deprecated and will be removed in a future version.
- The following previously deprecated configurations have been removed.
`search_activity`macro`search_typer`macro
- Deprecated data models: Application State and Change Analysis
As of version 4.11.0:
- The index definition
cim_summaryhas been removed. - Several configurations are deprecated and will be removed in a future release.
datamodel_for_audittrailtransformsavedsearch_name_for_audittrailtransformuser_for_audittrailtransform
Third-party software attributions
The Splunk Common Information Model Add-on does not incorporate any third-party software or libraries.
| Set up the Splunk Common Information Model Add-on | Support and resource links for the Splunk Common Information Model Add-on |
This documentation applies to the following versions of Splunk® Common Information Model Add-on: 4.13.0
Download manual
Feedback submitted, thanks!