Splunk® Common Information Model Add-on

Common Information Model Add-on Manual

Download manual as PDF

Download topic as PDF

Release notes for the Splunk Common Information Model Add-on

Version 4.13.0 of the Splunk Common Information Model Add-on was released on April 2, 2019.

New features

Version 4.13.x of the Splunk Common Information Model Add-on includes the following new features.

  • The acceleration.manual_rebuilds parameters are enabled by default in datamodels.conf. This disables automatic rebuilds for persistently accelerated data models. If you need to rebuild a datamodel for a model stanza that specifies manual_rebuilds=true you should do so manually. See Manual Data Model Management in the Splunk Enterprise Knowledge Manager Manual.
  • The process_guid field now exists in all objects in the Endpoint Data Model. This is a globally unique identifier of the process assigned by the vendor product. See Endpoint.
  • The splunk_id and splunk_realm fields now exist in the All_Ticket_Management dataset in the Ticket Management Data Model. When a Splunk solution generates a notable event, or set of notable events, these fields are a standard means of tracking the unique ID associated with the solution and the event. See Ticket Management.

Upgrade requirements

Splunk platform version Upgrade activity
6.6.X or later If you apply custom tags to data mapped to CIM data models and you use these tags in searches and search filters, add these tags to the whitelists for those models. See Set up the Splunk Common Information Model Add-on for details about the tags whitelist field.

Compatibility

Version 4.13.x of the Splunk Common Information Model Add-on requires Splunk platform version 6.5.x or later. Some functions on the CIM setup page, such as the accelerate until max time setting, are only available in version 6.6.x and later.

Fixed issues

This version of the Splunk Common Information Model Add-on fixes the following issues.

Date resolved Issue number Description
2019-01-31 CIM-785 index=_internal was not properly removed from tag=modaction
2018-12-20 CIM-784 Common Action Model calculates info_file incorrectly when using per-result alerting
2018-11-15 CIM-778, SOLNESS-14831 Excessive log rotation error on Windows for correlationmigration_rest_handler.log file, required manual roll of file
2018-10-10 CIM-645 CIM doesn't support multi-value tcp flags in the network traffic data model

Known issues

This version of the Splunk Common Information Model Add-on has the following reported known issues.

Date filed Issue number Description
2019-09-16 CIM-869 Adhoc Modular Actions: Splunk users with spaces in their name unable to dispatch adhoc actions
2019-04-30 CIM-813 Fields with leading uppercase do not MV properly

Workaround:
Use fieldname starting with lowercase letter for multivalue fields instead

 

2019-03-01 CIM-797 CIM Setup Page on Splunk Enterprise 7.2 shows navigation items from other app

Deprecated features

As of version 4.13.0:

  • N/A

As of version 4.12.0:

  • The modaction_invocations_rest_handler.py (alerts/modaction_invocations) has been deprecated and will be removed in a future version.
  • The following previously deprecated configurations have been removed.
    • `search_activity` macro
    • `search_typer` macro
  • Deprecated data models: Application State and Change Analysis

As of version 4.11.0:

  • The index definition cim_summary has been removed.
  • Several configurations are deprecated and will be removed in a future release.
    • datamodel_for_audittrail transform
    • savedsearch_name_for_audittrail transform
    • user_for_audittrail transform

Third-party software attributions

The Splunk Common Information Model Add-on does not incorporate any third-party software or libraries.

PREVIOUS
Set up the Splunk Common Information Model Add-on
  NEXT
Support and resource links for the Splunk Common Information Model Add-on

This documentation applies to the following versions of Splunk® Common Information Model Add-on: 4.13.0


Comments

Hi Gabriel! Thanks for the doc comment. Yes, you can upgrade the CIM app without upgrading ES.

Lkutch splunk, Splunker
July 8, 2019

Hi! In the compatibility section, can you please advise compatibility with Enterprise Security? Is it safe to upgrade the CIM app without upgrading ES? If so does it depend on the version of ES?

Gabriel vasseur
July 1, 2019

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters