Splunk® Common Information Model Add-on

Common Information Model Add-on Manual

This documentation does not apply to the most recent version of Splunk® Common Information Model Add-on. For documentation on the most recent version, go to the latest release.

Install the Splunk Common Information Model Add-on

  1. Download the Common Information Model add-on from Splunkbase at https://apps.splunk.com/app/1621/.
  2. Review the indexes defined in CIM.
    1. The cim_summary index definition is deprecated, but is included for backwards compatibility with upgraded versions of Splunk Enterprise Security and the Splunk App for PCI Compliance. If you are not using this index definition, remove this default/indexes.conf before installation. For more information on configuring indexes.conf, see Create and edit indexes and Configure index size with volumes in Managing Indexers and Clusters of Indexers in the Splunk Enterprise documentation.
    2. The cim_modactions index definition is used with the common action model alerts and auditing. Assign the appropriate Roles to search the index.
  3. Install the Splunk Common Information Model Add-on to your search heads only. Installing this add-on to indexers results in redundant data model acceleration overhead if acceleration is enabled.
    Refer to Installing add-ons for detailed instructions describing how to install a Splunk add-on in the following deployment scenarios:

Optional configuration

Visit the Splunk Common Information Model Add-on Set Up page to perform optional configurations.

  • Constrain the indexes that each datamodel searches against, to improve performance.
  • Enable or adjust the acceleration of each data model.

Access the setup page by going to Apps > Manage Apps, and then clicking on Set up in the row for Splunk Common Information Model. This setup page is supported only on Splunk platform version 6.4.X or later and is only accessible to Splunk admins.

Index constraints

On the Splunk Common Information Model Add-on Set Up page, you can constrain the indexes that each datamodel searches against, to improve performance. By default, each data model searches all indexes. To constrain a search, click on the name of the data model and check the boxes to indicate which indexes that data model should search.

If you have constrained a data model to selected indexes and then later add another index to your environment that is also relevant to this data model, return to this page and add the new index to your constraints.

Acceleration

All data models included in the CIM add-on have data model acceleration disabled by default. If you have Splunk Enterprise Security or the Splunk App for PCI Compliance installed, some of the data models in the CIM are automatically accelerated by configuration settings in these apps. If you want to change which data models are accelerated by these apps, access the Data Model Acceleration Enforcement modular input on your search head and make your changes there. If you attempt to unaccelerate a data model using any other method, including using the Settings tab in the CIM Set Up page, your changes will not persist because the the app acceleration enforcement re-accelerates the data models automatically.

If you are using the CIM without these apps installed, you can choose to accelerate one or more of the data models manually. To enable acceleration or change acceleration parameters, click the Settings tab in the CIM Set Up page.

For more details, see Accelerate CIM data models.

Last modified on 09 December, 2016
Overview of the Splunk Common Information Model   Release notes for the Splunk Common Information Model Add-on

This documentation applies to the following versions of Splunk® Common Information Model Add-on: 4.6.0


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters