Release notes for the Splunk Common Information Model Add-on

New features

Version 4.6.0 of the Splunk Common Information Model Add-on includes the following new features.

New common action model for custom alert actions in the Splunk platform and adaptive response actions in Splunk Enterprise Security. This common action model consists of three items:

a cim_actions.py library, which assists developers with building alert actions in a way that conforms to the common action model.
a JSON spec in alert_actions.conf.spec, which classifies actions and specifies other metadata expected by the adaptive response framework.
an addition to the Splunk Audit Logs data model that describes the introspection event data produced by alert actions that conform to the common action model.

Compatibility

Version 4.6.0 of the Splunk Common Information Model Add-on requires Splunk platform version 6.4.x or later.

Fixed issues

This version of the Splunk Common Information Model Add-on fixes the following issues.

Date resolved	Issue number	Description
2016-09-08	CIM-407	CIM setup page does not load on Safari.

Known issues

This version of the Splunk Common Information Model Add-on has the following reported known issues.

Date filed	Issue number	Description
2017-07-19	CIM-549	Indexes with hyphen are not persisted on the setup page even after saved Workaround: Line 58 in Splunk_SA_CIM/appserver/static/js/views/CIMSetupView.js should reflect: reg = 'index\\s=\\s([\\w-]+\|"[\\w-]+")', Instead of: reg = 'index\\s=\\s(\\w+\|"\\w+")', A restart of splunkweb and (_bump or clearing of browser cache) required for changes to take affect.
2016-11-10	CIM-452	Installing through "Browse more apps" in Splunk Web does not rename .default lookups Workaround: Download the add-on from Splunkbase and choose "Install app from file" on the Manage Apps page.
2016-10-28	CIM-443	CIM setup allows invalid time values its giving warning
2016-10-10	CIM-436	cim_actions:writeevents permits writing of empty header fields.
2016-10-07	CIM-447, SOLNESS-10821	Executing an ad-hoc action on a machine in a different time zone leads to incorrect time values
2016-10-05	CIM-433	btool error: Invalid key in stanza lookup:cam_category_lookup in Splunk_SA_CIM. Workaround: Edit SA-Utils/README/managed_configurations.conf.spec to include this entry at the very end (under the lookups stanza): expose = [0\|1] * Whether to expose the contents of file backed lookups * Exposes contents via eai:data * Optional.
2016-09-16	CIM-428, SPL-128919	sendalert reflects owner="system" for adhoc action invocations
2016-09-08	CIM-413	CIM setup page does not pick up indexes from index cluster Workaround: Go to Settings > Advanced search > Search macros to set the cim_$dm$_indexes (i.e. cim_Authentication_indexes) macro as appropriate.
2016-07-08	CIM-383	Setup screen shows "I am legend" or "Unable to render setup" on 6.4.x Workaround: Delete the setup.xml file (usually left over from a previous version) from the Splunk_SA_CIM/default folder and browse to the "cim_setup" view directly.
2014-07-07	CIM-169	Remote search log warning messages from acceleration due to long search strings Workaround: Turn off truncation on indexers in `etc/system/local/props.conf` as shown: `[splunkd_remote_searches]` `TRUNCATE = 0`

Deprecated features

The index definition cim_summary is deprecated and is only used to support backward compatibility with upgraded versions of Enterprise Security. The index definition will be removed in a future release.

Third-party software attributions

The Splunk Common Information Model Add-on does not incorporate any third-party software or libraries.

Related answers from Splunk Community

Release notes for the Splunk Common Information Model Add-on

New features

Compatibility

Fixed issues

Known issues

Deprecated features

Third-party software attributions

Comments

Release notes for the Splunk Common Information Model Add-on

Was this topic useful?