Splunk® Common Information Model Add-on

Common Information Model Add-on Manual

Acrobat logo Download manual as PDF

This documentation does not apply to the most recent version of CIM. Click here for the latest version.
Acrobat logo Download topic as PDF

Install the Splunk Common Information Model Add-on

1. Download the Common Information Model add-on from Splunkbase.

2. Review the default/indexes.conf. The cim_summary index definition is deprecated, but is included for backwards compatibility with older versions of Splunk Enterprise Security and the Splunk App for PCI Compliance. If you are using the cim_summary index definition, proceed with your installation. If you are not already using this index definition, remove this default/indexes.conf before installation. For more information on configuring indexes.conf, see Create and edit indexes and Configure index size with volumes in the Managing Indexers and Clusters of Indexers Manual of the Splunk Enterprise documentation.

3. Install the Splunk Common Information Model Add-on to your search heads only. Installing this add-on to indexers results in redundant data model acceleration overhead if acceleration is enabled.

Refer to Installing add-ons for detailed instructions describing how to install a Splunk add-on in the following deployment scenarios:

4. (Optional) Visit the Splunk Common Information Model Add-on Set Up page to constrain the indexes that each datamodel searches against, to improve performance. Access the setup page by going to Apps > Manage Apps, and then clicking on Set up in the row for Splunk Common Information Model. This setup page is supported only on Splunk platform version 6.3.X or later.

5. (Optional) Accelerate one or more of the data models. The data models included in the CIM add-on are configured with data model acceleration turned off. For more details, see Enable data model acceleration in the Knowledge Manager Manual of the Splunk Enterprise documentation.

Last modified on 27 July, 2016
Overview of the Splunk Common Information Model
Release notes for the Splunk Common Information Model Add-on

This documentation applies to the following versions of Splunk® Common Information Model Add-on: 4.3.0, 4.3.1, 4.4.0

Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters