Splunk® Common Information Model Add-on

Common Information Model Add-on Manual

Download manual as PDF

This documentation does not apply to the most recent version of CIM. Click here for the latest version.
Download topic as PDF

Release notes for the Splunk Common Information Model Add-on

New features

Version 4.7.0 of the Splunk Common Information Model Add-on includes the following new features.

  • You can now configure the relative priority of data model acceleration searches on the CIM setup page.
  • Data model JSON files now contain the field descriptions and expected values in the comment parameter, making it possible to programmatically access the documentation for all fields. See How to access information directly from the JSON files for more information.
  • The Authentication data model now contains a signature and signature_id field.
  • Custom alert action introspection events are now automatically source typed to modular_alerts:<action_name>.
  • Ad-hoc adaptive response actions now execute under the context of the app from which they are executed.


Version 4.7.0 of the Splunk Common Information Model Add-on requires Splunk platform version 6.4.x or later.

Fixed issues

This version of the Splunk Common Information Model Add-on fixes the following issues.

Date resolved Issue number Description
2016-12-13 CIM-443 CIM setup allows invalid time values its giving warning
2016-11-05 CIM-447, SOLNESS-10821 Executing an ad-hoc action on a machine in a different time zone leads to incorrect time values
2016-10-24 CIM-436 cim_actions:writeevents permits writing of empty header fields.

Known issues

This version of the Splunk Common Information Model Add-on has the following reported known issues.

Date filed Issue number Description
2017-09-05 CIM-565 stash_common_action_model sourcetype does not properly extract timestamps
2017-07-19 CIM-549 Indexes with hyphen are not persisted on the setup page even after saved

Line 58 in
should reflect:
reg = 'index\\s*=\\s*([\\w-]+|"[\\w-]+")',

Instead of:

reg = 'index\\s*=\\s*(\\w+|"\\w+")',

A restart of splunkweb and (_bump or clearing of browser cache) required for changes to take affect.

2017-05-18 CIM-544 Common Action Model: Double quotes are not escaped for search_name in result2stash
2017-01-12 CIM-489, TAB-2435 Datamodel Editor empties the contents of non-standard field (i.e. comment) upon saving any edit to the model
2016-11-10 CIM-452 Installing through "Browse more apps" in Splunk Web does not rename .default lookups

Download the add-on from Splunkbase and choose "Install app from file" on the Manage Apps page.
2016-10-05 CIM-433 btool error: Invalid key in stanza lookup:cam_category_lookup in Splunk_SA_CIM.

Edit SA-Utils/README/managed_configurations.conf.spec to include this entry at the very end (under the lookups stanza):
expose = [0|1]
   * Whether to expose the contents of file backed lookups
   * Exposes contents via eai:data
   * Optional.
2016-09-16 CIM-428, SPL-128919 sendalert reflects owner="system" for adhoc action invocations
2016-09-08 CIM-413 CIM setup page does not pick up indexes from index cluster

Go to Settings > Advanced search > Search macros to set the cim_$dm$_indexes (i.e. cim_Authentication_indexes) macro as appropriate.
2016-07-08 CIM-383 Setup screen shows "I am legend" or "Unable to render setup" on 6.4.x

Delete the setup.xml file (usually left over from a previous version) from the Splunk_SA_CIM/default folder and browse to the "cim_setup" view directly.
2014-10-10 CIM-226, CIM-202 In Ticket Management, field "dest" should be used for the machine that the ticket concerns.
2014-07-07 CIM-169 Remote search log warning messages from acceleration due to long search strings

Turn off truncation on indexers in etc/system/local/props.conf as shown:


Deprecated features

  • The index definition cim_summary is deprecated and is only used to support backward compatibility with upgraded versions of Enterprise Security. The index definition will be removed in a future release.

Third-party software attributions

The Splunk Common Information Model Add-on does not incorporate any third-party software or libraries.

Last modified on 08 November, 2017
Set up the Splunk Common Information Model Add-on
Support and resource links for the Splunk Common Information Model Add-on

This documentation applies to the following versions of Splunk® Common Information Model Add-on: 4.7.0

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters