Install the Splunk Common Information Model Add-on
1. Download the Common Information Model add-on from Splunkbase.
2. Review the default/indexes.conf. The cim_summary index definition is deprecated, but is included for backwards compatibility with older versions of Splunk Enterprise Security and the Splunk App for PCI Compliance. If you are using the cim_summary index definition, proceed with your installation. If you are not already using this index definition, remove this default/indexes.conf before installation. For more information on configuring indexes.conf, see Create and edit indexes and Configure index size with volumes in the Managing Indexers and Clusters of Indexers Manual of the Splunk Enterprise documentation.
3. Install the Splunk Common Information Model Add-on to your search heads only. Installing this add-on to indexers results in redundant data model acceleration overhead if acceleration is enabled.
Refer to Installing add-ons for detailed instructions describing how to install a Splunk add-on in the following deployment scenarios:
4. (Optional) Visit the Splunk Common Information Model Add-on Set Up page to constrain the indexes that each datamodel searches against, to improve performance. Access the setup page by going to Apps > Manage Apps, and then clicking on Set up in the row for Splunk Common Information Model. This setup page is supported only on Splunk platform version 6.3.X or later.
5. (Optional) Accelerate one or more of the data models. The data models included in the CIM add-on are configured with data model acceleration turned off. For more details, see Enable data model acceleration in the Knowledge Manager Manual of the Splunk Enterprise documentation.
| Overview of the Splunk Common Information Model | Release notes for the Splunk Common Information Model Add-on |
This documentation applies to the following versions of Splunk® Common Information Model Add-on: 4.3.0, 4.3.1, 4.4.0
Download manual
Feedback submitted, thanks!