Splunk® Common Information Model Add-on

Common Information Model Add-on Manual

Acrobat logo Download manual as PDF


This documentation does not apply to the most recent version of Splunk® Common Information Model Add-on. For documentation on the most recent version, go to the latest release.
Acrobat logo Download topic as PDF

Set up the Splunk Common Information Model Add-on

Perform optional configurations on the Splunk Common Information Model Add-on Setup page.

  • Constrain the indexes that each data model searches in order to improve performance.
  • Configure the tag whitelist that each data model searches.
  • Enable or adjust the acceleration of each data model.

Access the setup page by selecting Apps > Manage Apps and then clicking Set up in the row for Splunk Common Information Model. You can only use the setup page on Splunk platform version 6.4.x or later. With Splunk_SA_CIM version 4.11.0 and lower, you need to have the admin_all_objects capability. With Splunk_SA_CIM version 4.12.0 and higher, you need to have the accelerate_datamodel capability. If you do not see a link to set up the app, you can access the setup page directly by going to https://<URL of your Splunk deployment>/en-US/app/Splunk_SA_CIM/cim_setup?action=edit.

Set index constraints

Improve performance by constraining the indexes that each data model searches. By default, each data model searches all indexes.

  1. In Splunk Web, access the CIM Setup page:
    • Select Apps > Manage Apps and then click Set up in the row for Splunk Common Information Model.
    • Access the setup page directly by going to https://<URL of your Splunk deployment>/en-US/app/Splunk_SA_CIM/cim_setup?action=edit.
  2. Select the data model that you want to modify.
  3. In Indexes whitelist, type the index that the data model should search. Indexes defined on your search head appear in the drop-down list. You can type the names of indexes that are defined only on indexers.
  4. Click Save.

If you constrain a data model to selected indexes and then later add another index to your environment that is also relevant to the data model, return to this page and add the new index to the data model constraints.

Accelerating CIM data models

Enable acceleration for data models to return results faster for searches, reports, and dashboard panels that reference the data model.

The summary range settings of a data model affect the size of the data models on disk and also affect the processing load on the indexers due to the load of creating accelerated data alongside the index buckets. See Enable data model acceleration in the Knowledge Manager Manual for Splunk Enterprise.

All data models included in the CIM add-on have data model acceleration disabled by default.

If you have Splunk Enterprise Security or the Splunk App for PCI Compliance installed, configuration settings automatically accelerate some of the data models in the CIM. If you use these apps, do not make changes to acceleration settings on the CIM setup page because your changes do not persist. Instead, make changes in the Data Model Acceleration Enforcement modular input on your search head. The modular input overrides the acceleration status that you set on the CIM setup page to make sure that the apps continue to work.


If you use the CIM without these apps installed, you can choose to accelerate one or more of the data models manually.

Enable data model acceleration

Configure the acceleration parameters of the CIM data models in the CIM Setup view.

  1. In Splunk Web, access the CIM Setup page:
    • Select Apps > Manage Apps and then click Set up in the row for Splunk Common Information Model.
    • Access the setup page directly by going to https://<URL of your Splunk deployment>/en-US/app/Splunk_SA_CIM/cim_setup?action=edit.
  2. Select a data model that you want to accelerate.
  3. Select the check box next to Accelerate to accelerate the model.
  4. (Optional) Configure the advanced acceleration settings.
    Parameter Description More information
    Backfill range How far back in time the Splunk platform creates its column stores, specified as a relative time string. Only set this parameter if you want to backfill less data than the retention period set by Earliest time. Refer to datamodels.conf.spec for warnings and limitations. See datamodels.conf.spec and Advanced configurations for persistently accelerated data models in the Knowledge Manager Manual in the Splunk Enterprise documentation.
    Summary range How far back in time the Splunk platform keeps these column stores, specified as a relative time string. Backfill Range should be more recent than Summary Range.
    Max summarization search time The maximum amount of time that the column store creation search is allowed to run, in seconds.
    Accelerate until maximum time When selected, runs the acceleration search until the maximum time is reached.
    Max concurrent summarization searches The maximum number of concurrent acceleration instances for this data model that the scheduler is allowed to run.
    Manual rebuilds When selected, prevents the summarize command from rebuilding outdated summaries. Admins can manually rebuild a data model in Settings. Select Settings > Data Models and locate the row for the data model. Click Rebuild to rebuild the data model.
    Schedule priority Raises the scheduling priority of a summary search, as follows:
    • default: No scheduling priority increase.
    • higher: Scheduling priority is higher than other data model searches.
    • highest: Scheduling priority is higher than other searches regardless of scheduling tier, except real-time-scheduled searches with priority = highest always have priority over all other searches.

    This field is only available in Splunk platform 6.5.x or later.

    Indexes whitelist Restricts the index attribute of the data model to specified index values to improve performance.
    Tags whitelist Restricts the tag attribute of the data model to specified tag values to improve performance. By default, the whitelists for each CIM data model contain the tags used as constraints for the child datasets as well as the tags used in any searches within the model. Do not remove these tags, or data model searches that rely on these tags will fail.

    You can add additional tags to this whitelist to accommodate how you have applied tags to your data. Add additional tags that you need to use to search and filter within searches for a data model.
    The tags_whitelist setting is only available in Splunk Enterprise 6.6.0 and above. For organizations running Splunk Enterprise 6.6.4 and above, there is a UI component to manage the tags_whitelist setting via the Splunk Web UI.

    For organizations running Splunk Enterprise 6.6.0 - 6.6.3, the tags_whitelist setting must be managed manually via conf file access.

    See datamodels.conf.spec and Set a tag whitelist for better data model search performance in the Knowledge Manager Manual in the Splunk Enterprise documentation.
  5. Click Save.

For more information about accelerated data models and data model acceleration jobs, see Check the status of data model accelerations in this topic.

Disable acceleration for a data model

If you have Splunk Enterprise Security or the Splunk App for PCI Compliance installed, some of the data models in the CIM are automatically accelerated by configuration settings in these apps. If you want to change which data models are accelerated by these apps, access the Data Model Acceleration Enforcement modular input on your search head and make your changes there. If you attempt to de-accelerate a data model using any other method, including using the Settings tab in the CIM Setup page, your changes will not persist because the the app acceleration enforcement re-accelerates the data models automatically.

If you do not have an app installed that enforces the acceleration of any CIM data models, you can edit the acceleration settings on the CIM Setup page.

  1. In Splunk Web, access the CIM Setup page:
    • Select Apps > Manage Apps and then click Set up in the row for Splunk Common Information Model.
    • Access the setup page directly by going to https://<URL of your Splunk deployment>/en-US/app/Splunk_SA_CIM/cim_setup?action=edit.
  2. Select the data model for which you want to disable acceleration.
  3. Deselect the check box next to Enable acceleration to stop accelerating the data model.
  4. Click Save.

Change the summary range for data model accelerations

A data model's summary range setting affects the size of the data models on disk, and the processing load of creating accelerated data alongside the index buckets.

  1. In Splunk Web, access the CIM Setup page:
    • Select Apps > Manage Apps and then click Set up in the row for Splunk Common Information Model.
    • Access the setup page directly by going tohttps://<URL of your Splunk deployment>/en-US/app/Splunk_SA_CIM/cim_setup?action=edit.
  2. Select the data model you want to change.
  3. Set a summary range:
    1. Make sure that Enable acceleration is checked. A summary range only applies to accelerated data models.
    2. Review the Earliest time setting to determine the current summary range.
    3. Change the Earliest time setting.
      For example, -1y, -3mon, -1mon, -1w, -1d, or 0 for "All Time".
  4. Click Save.

The CIM Setup page only displays CIM data models. You cannot change the settings of a custom data model on the CIM Setup page. To change the summary range or other settings on a custom data model, manually edit the datamodels.conf provided with the app or add-on. For more information, see the datamodels.conf spec file in the Splunk Enterprise Admin Manual.

Check the status of data model accelerations

Use the Data Model Audit dashboard to display information about the state of data model accelerations in your environment. Alternatively, use the `cim_datamodelinfo` macro to search the data model statuses from the search bar.

To access the dashboard:

  1. Open the Search and Reporting app.
  2. In the menu bar, click Dashboards.
  3. Select the Data Model Audit dashboard.
Panel Description
Top Accelerations By Size Displays the accelerated data models sorted in descending order by MB on disk
Top Accelerations By Run Duration Displays the accelerated data models sorted in descending order by the time spent on running acceleration tasks.
Acceleration Details Displays a table of the accelerated data models with additional information.

Data model acceleration can be in progress and 100% complete at the same time. The process running and the status completing are not directly tied together.

Last modified on 10 February, 2021
PREVIOUS
Install the Splunk Common Information Model Add-on
  NEXT
Release notes for the Splunk Common Information Model Add-on

This documentation applies to the following versions of Splunk® Common Information Model Add-on: 4.18.0


Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters