Splunk® Common Information Model Add-on

Common Information Model Add-on Manual

Download manual as PDF

This documentation does not apply to the most recent version of CIM. Click here for the latest version.
Download topic as PDF

Release notes for the Splunk Common Information Model Add-on

Version 4.8.0 of the Splunk Common Information Model Add-on was released on April 14, 2017.

New features

Version 4.8.0 of the Splunk Common Information Model Add-on includes the following new features.

Performance improvements

  • The Common Information Model add-on adopts the datamodels.conf attribute, tags_whitelist, new in Splunk platform 6.6.X. This attribute improves data model search performance. If you have custom tags to include in the whitelist, you can configure the tag whitelist on the CIM setup page on Splunk platform versions 6.6.0 and later. See Set up the Splunk Common Information Model.
  • Data model JSON files now contain a comment field for each object that lists the tags required by that object.

Setup page improvements

  • The CIM Setup page is now restricted so that only Splunk admins can view it by default. Previously, all users could view the page, but only Splunk admins could use it.
  • The Indexes tab offers the option of manually editing the macros.conf file, which is useful if your indexes are not all defined on your search head.
  • The Settings tab has been updated with more user-friendly field names.

Common action model improvements

  • The common action model library includes a new validate(self) method that ensures result messages are correctly associated with a result ID. See Example adaptive response action for an applied example of its usage.

Data model improvements

  • The Vulnerabilities model now includes a url field to represent the url involved in the discovered vulnerability.
  • The expected values, listed for some CIM model fields, have been updated and corrected. See How to use these reference tables.


Compatibility

Version 4.8.0 of the Splunk Common Information Model Add-on requires Splunk platform version 6.4.x or later.

Fixed issues

This version of the Splunk Common Information Model Add-on fixes the following issues.

Date resolved Issue number Description
2017-03-10 CIM-452 Installing through "Browse more apps" in Splunk Web does not rename .default lookups

Known issues

This version of the Splunk Common Information Model Add-on has the following reported known issues.

Date filed Issue number Description
2018-12-05 CIM-784 Common Action Model calculates info_file incorrectly when using per-result alerting
2018-01-10 CIM-616 CIM 4.8+ causes "guided search" build_id errors in Enterprise Security.

Workaround:
Upgrade to Enterprise Security 4.7.x or higher
2017-09-14 CIM-571, CIM-577 Python logging is not user-timezone agnostic.
2017-09-05 CIM-565 stash_common_action_model sourcetype does not properly extract timestamps
2017-08-14 CIM-555 Performance data model: "success" and "failure" tags missing from "tags_whitelist"

Workaround:
Using CIM Setup, add "success" and "failure" to tags whitelist for the Performance data model
2017-07-21 CIM-550 Tag "unauthorized-device" missing from Intrusion_Detection whitelist

Workaround:
Add "unauthorized-device" to the tags whitelist setting for the Intrusion Detection data model.
2017-07-19 CIM-549 Indexes with hyphen are not persisted on the setup page even after saved

Workaround:
Line 58 in
Splunk_SA_CIM/appserver/static/js/views/CIMSetupView.js
should reflect:
reg = 'index\\s*=\\s*([\\w-]+|"[\\w-]+")',

Instead of:

reg = 'index\\s*=\\s*(\\w+|"\\w+")',

A restart of splunkweb and (_bump or clearing of browser cache) required for changes to take affect.

2017-05-18 CIM-544 Common Action Model: Double quotes are not escaped for search_name in result2stash
2017-01-12 CIM-489, TAB-2435 Datamodel Editor empties the contents of non-standard field (i.e. comment) upon saving any edit to the model
2016-10-05 CIM-433 btool error: Invalid key in stanza lookup:cam_category_lookup in Splunk_SA_CIM.

Workaround:
Edit SA-Utils/README/managed_configurations.conf.spec to include this entry at the very end (under the lookups stanza):
expose = [0|1]
   * Whether to expose the contents of file backed lookups
   * Exposes contents via eai:data
   * Optional.
2016-09-16 CIM-428, SPL-128919 sendalert reflects owner="system" for adhoc action invocations
2016-09-08 CIM-413 CIM setup page does not pick up indexes from index cluster

Workaround:
Go to Settings > Advanced search > Search macros to set the cim_$dm$_indexes (i.e. cim_Authentication_indexes) macro as appropriate.
2016-07-08 CIM-383 Setup screen shows "I am legend" or "Unable to render setup" on 6.4.x

Workaround:
Delete the setup.xml file (usually left over from a previous version) from the Splunk_SA_CIM/default folder and browse to the "cim_setup" view directly.
2014-07-07 CIM-169 Remote search log warning messages from acceleration due to long search strings

Workaround:
Turn off truncation on indexers in etc/system/local/props.conf as shown:

[splunkd_remote_searches]
TRUNCATE = 0

Deprecated features

  • The index definition cim_summary is deprecated and is only used to support backward compatibility with upgraded versions of Enterprise Security. The index definition will be removed in a future release.

Third-party software attributions

The Splunk Common Information Model Add-on does not incorporate any third-party software or libraries.

PREVIOUS
Set up the Splunk Common Information Model Add-on
  NEXT
Support and resource links for the Splunk Common Information Model Add-on

This documentation applies to the following versions of Splunk® Common Information Model Add-on: 4.8.0


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters