Install the Splunk Common Information Model Add-on
- Download the Common Information Model add-on from Splunkbase at https://apps.splunk.com/app/1621/.
- Review the indexes defined in CIM.
- The
cim_summary
index definition is deprecated, but is included for backwards compatibility with upgraded versions of Splunk Enterprise Security and the Splunk App for PCI Compliance. If you are not using this index definition, remove thisdefault/indexes.conf
before installation. For more information on configuringindexes.conf
, see Create and edit indexes and Configure index size with volumes in Managing Indexers and Clusters of Indexers in the Splunk Enterprise documentation. - The
cim_modactions
index definition is used with the common action model alerts and auditing. Assign the appropriate Roles to search the index.
- The
- Install the Splunk Common Information Model Add-on to your search heads only. Installing this add-on to indexers results in redundant data model acceleration overhead if acceleration is enabled.
Refer to Installing add-ons for detailed instructions describing how to install a Splunk add-on in the following deployment scenarios:
Optional configuration
Visit the Splunk Common Information Model Add-on Set Up page to perform optional configurations.
- Constrain the indexes that each datamodel searches against, to improve performance.
- Enable or adjust the acceleration of each data model.
Access the setup page by going to Apps > Manage Apps, and then clicking on Set up in the row for Splunk Common Information Model. This setup page is supported only on Splunk platform version 6.4.X or later and is only accessible to Splunk admins.
Index constraints
On the Splunk Common Information Model Add-on Set Up page, you can constrain the indexes that each datamodel searches against, to improve performance. By default, each data model searches all indexes. To constrain a search, click on the name of the data model and check the boxes to indicate which indexes that data model should search.
If you have constrained a data model to selected indexes and then later add another index to your environment that is also relevant to this data model, return to this page and add the new index to your constraints.
Acceleration
All data models included in the CIM add-on have data model acceleration disabled by default. If you have Splunk Enterprise Security or the Splunk App for PCI Compliance installed, some of the data models in the CIM are automatically accelerated by configuration settings in these apps. If you want to change which data models are accelerated by these apps, access the Data Model Acceleration Enforcement modular input on your search head and make your changes there. If you attempt to unaccelerate a data model using any other method, including using the Settings tab in the CIM Set Up page, your changes will not persist because the the app acceleration enforcement re-accelerates the data models automatically.
If you are using the CIM without these apps installed, you can choose to accelerate one or more of the data models manually. To enable acceleration or change acceleration parameters, click the Settings tab in the CIM Set Up page.
For more details, see Accelerate CIM data models.
Overview of the Splunk Common Information Model | Release notes for the Splunk Common Information Model Add-on |
This documentation applies to the following versions of Splunk® Common Information Model Add-on: 4.6.0
Feedback submitted, thanks!