Release notes for the Splunk Common Information Model Add-on
New features
Version 4.7.0 of the Splunk Common Information Model Add-on includes the following new features.
- You can now configure the relative priority of data model acceleration searches on the CIM setup page.
- Data model JSON files now contain the field descriptions and expected values in the comment parameter, making it possible to programmatically access the documentation for all fields. See How to access information directly from the JSON files for more information.
- The Authentication data model now contains a
signature
andsignature_id
field. - Custom alert action introspection events are now automatically source typed to
modular_alerts:<action_name>
. - Ad-hoc adaptive response actions now execute under the context of the app from which they are executed.
Compatibility
Version 4.7.0 of the Splunk Common Information Model Add-on requires Splunk platform version 6.4.x or later.
Fixed issues
This version of the Splunk Common Information Model Add-on fixes the following issues.
Date resolved | Issue number | Description |
---|---|---|
2016-12-13 | CIM-443 | CIM setup allows invalid time values its giving warning |
2016-11-05 | CIM-447, SOLNESS-10821 | Executing an ad-hoc action on a machine in a different time zone leads to incorrect time values |
2016-10-24 | CIM-436 | cim_actions:writeevents permits writing of empty header fields. |
Known issues
This version of the Splunk Common Information Model Add-on has the following reported known issues.
Date filed | Issue number | Description |
---|---|---|
2017-09-05 | CIM-565 | stash_common_action_model sourcetype does not properly extract timestamps |
2017-07-19 | CIM-549 | Indexes with hyphen are not persisted on the setup page even after saved Workaround: Line 58 in Splunk_SA_CIM/appserver/static/js/views/CIMSetupView.jsshould reflect: reg = 'index\\s*=\\s*([\\w-]+|"[\\w-]+")', Instead of: reg = 'index\\s*=\\s*(\\w+|"\\w+")', A restart of splunkweb and (_bump or clearing of browser cache) required for changes to take affect. |
2017-05-18 | CIM-544 | Common Action Model: Double quotes are not escaped for search_name in result2stash |
2017-01-12 | CIM-489, TAB-2435 | Datamodel Editor empties the contents of non-standard field (i.e. comment) upon saving any edit to the model |
2016-11-10 | CIM-452 | Installing through "Browse more apps" in Splunk Web does not rename .default lookups Workaround: Download the add-on from Splunkbase and choose "Install app from file" on the Manage Apps page. |
2016-10-05 | CIM-433 | btool error: Invalid key in stanza lookup:cam_category_lookup in Splunk_SA_CIM. Workaround: Edit SA-Utils/README/managed_configurations.conf.spec to include this entry at the very end (under the lookups stanza): expose = [0|1] * Whether to expose the contents of file backed lookups * Exposes contents via eai:data * Optional. |
2016-09-16 | CIM-428, SPL-128919 | sendalert reflects owner="system" for adhoc action invocations |
2016-09-08 | CIM-413 | CIM setup page does not pick up indexes from index cluster Workaround: Go to Settings > Advanced search > Search macros to set the cim_$dm$_indexes (i.e. cim_Authentication_indexes) macro as appropriate. |
2016-07-08 | CIM-383 | Setup screen shows "I am legend" or "Unable to render setup" on 6.4.x Workaround: Delete the setup.xml file (usually left over from a previous version) from the Splunk_SA_CIM/default folder and browse to the "cim_setup" view directly. |
2014-10-10 | CIM-226, CIM-202 | In Ticket Management, field "dest" should be used for the machine that the ticket concerns. |
2014-07-07 | CIM-169 | Remote search log warning messages from acceleration due to long search strings Workaround: Turn off truncation on indexers in etc/system/local/props.conf as shown:
|
Deprecated features
- The index definition
cim_summary
is deprecated and is only used to support backward compatibility with upgraded versions of Enterprise Security. The index definition will be removed in a future release.
Third-party software attributions
The Splunk Common Information Model Add-on does not incorporate any third-party software or libraries.
Set up the Splunk Common Information Model Add-on | Support and resource links for the Splunk Common Information Model Add-on |
This documentation applies to the following versions of Splunk® Common Information Model Add-on: 4.7.0
Feedback submitted, thanks!