This documentation does not apply to the most recent version of Splunk® Common Information Model Add-on.
For documentation on the most recent version, go to the latest release.
Release notes for the Splunk Common Information Model Add-on
Version 4.8.0 of the Splunk Common Information Model Add-on was released on April 14, 2017.
New features
Version 4.8.0 of the Splunk Common Information Model Add-on includes the following new features.
Performance improvements
- The Common Information Model add-on adopts the datamodels.conf attribute,
tags_whitelist, new in Splunk platform 6.6.X. This attribute improves data model search performance. If you have custom tags to include in the whitelist, you can configure the tag whitelist on the CIM setup page on Splunk platform versions 6.6.0 and later. See Set up the Splunk Common Information Model. - Data model JSON files now contain a comment field for each object that lists the tags required by that object.
Setup page improvements
- The CIM Setup page is now restricted so that only Splunk admins can view it by default. Previously, all users could view the page, but only Splunk admins could use it.
- The Indexes tab offers the option of manually editing the macros.conf file, which is useful if your indexes are not all defined on your search head.
- The Settings tab has been updated with more user-friendly field names.
Common action model improvements
- The common action model library includes a new
validate(self)method that ensures result messages are correctly associated with a result ID. See Example adaptive response action for an applied example of its usage.
Data model improvements
- The Vulnerabilities model now includes a
urlfield to represent the url involved in the discovered vulnerability. - The expected values, listed for some CIM model fields, have been updated and corrected. See How to use these reference tables.
Compatibility
Version 4.8.0 of the Splunk Common Information Model Add-on requires Splunk platform version 6.4.x or later.
Fixed issues
This version of the Splunk Common Information Model Add-on fixes the following issues.
| Date resolved | Issue number | Description |
|---|---|---|
| 2017-03-10 | CIM-452 | Installing through "Browse more apps" in Splunk Web does not rename .default lookups |
Known issues
This version of the Splunk Common Information Model Add-on has the following reported known issues.
| Date filed | Issue number | Description |
|---|---|---|
| 2018-12-05 | CIM-784 | Common Action Model calculates info_file incorrectly when using per-result alerting |
| 2018-01-10 | CIM-616 | CIM 4.8+ causes "guided search" build_id errors in Enterprise Security. Workaround: Upgrade to Enterprise Security 4.7.x or higher |
| 2017-09-14 | CIM-571, CIM-577 | Python logging is not user-timezone agnostic. |
| 2017-09-05 | CIM-565 | stash_common_action_model sourcetype does not properly extract timestamps |
| 2017-08-14 | CIM-555 | Performance data model: "success" and "failure" tags missing from "tags_whitelist" Workaround: Using CIM Setup, add "success" and "failure" to tags whitelist for the Performance data model |
| 2017-07-21 | CIM-550 | Tag "unauthorized-device" missing from Intrusion_Detection whitelist Workaround: Add "unauthorized-device" to the tags whitelist setting for the Intrusion Detection data model. |
| 2017-07-19 | CIM-549 | Indexes with hyphen are not persisted on the setup page even after saved Workaround: Line 58 in Splunk_SA_CIM/appserver/static/js/views/CIMSetupView.jsshould reflect: reg = 'index\\s*=\\s*([\\w-]+|"[\\w-]+")', Instead of: reg = 'index\\s*=\\s*(\\w+|"\\w+")', A restart of splunkweb and (_bump or clearing of browser cache) required for changes to take affect. |
| 2017-05-18 | CIM-544 | Common Action Model: Double quotes are not escaped for search_name in result2stash |
| 2017-01-12 | CIM-489, TAB-2435 | Datamodel Editor empties the contents of non-standard field (i.e. comment) upon saving any edit to the model |
| 2016-10-05 | CIM-433 | btool error: Invalid key in stanza lookup:cam_category_lookup in Splunk_SA_CIM. Workaround: Edit SA-Utils/README/managed_configurations.conf.spec to include this entry at the very end (under the lookups stanza): expose = [0|1] * Whether to expose the contents of file backed lookups * Exposes contents via eai:data * Optional. |
| 2016-09-16 | CIM-428, SPL-128919 | sendalert reflects owner="system" for adhoc action invocations |
| 2016-09-08 | CIM-413 | CIM setup page does not pick up indexes from index cluster Workaround: Go to Settings > Advanced search > Search macros to set the cim_$dm$_indexes (i.e. cim_Authentication_indexes) macro as appropriate. |
| 2016-07-08 | CIM-383 | Setup screen shows "I am legend" or "Unable to render setup" on 6.4.x Workaround: Delete the setup.xml file (usually left over from a previous version) from the Splunk_SA_CIM/default folder and browse to the "cim_setup" view directly. |
| 2014-07-07 | CIM-169 | Remote search log warning messages from acceleration due to long search strings Workaround: Turn off truncation on indexers in etc/system/local/props.conf as shown:
|
Deprecated features
- The index definition
cim_summaryis deprecated and is only used to support backward compatibility with upgraded versions of Enterprise Security. The index definition will be removed in a future release.
Third-party software attributions
The Splunk Common Information Model Add-on does not incorporate any third-party software or libraries.
Last modified on 20 December, 2018
| Set up the Splunk Common Information Model Add-on | Support and resource links for the Splunk Common Information Model Add-on |
This documentation applies to the following versions of Splunk® Common Information Model Add-on: 4.8.0
Download manual
Feedback submitted, thanks!