Splunk® Common Information Model Add-on

Common Information Model Add-on Manual

Acrobat logo Download manual as PDF


This documentation does not apply to the most recent version of Splunk® Common Information Model Add-on. For documentation on the most recent version, go to the latest release.
Acrobat logo Download topic as PDF

Set up the Splunk Common Information Model Add-on

Visit the Splunk Common Information Model Add-on Setup page to perform optional configurations.

  • Constrain the indexes that each data model searches against, to improve performance.
  • Configure the tag whitelist that each data model searches against.
  • Enable or adjust the acceleration of each data model.

Access the setup page by going to Apps > Manage Apps, and then clicking on Set up in the row for Splunk Common Information Model. This setup page is supported only on Splunk platform version 6.4.X or later and is only accessible to Splunk admins.

Set index constraints

On the CIM Setup page, you can constrain the indexes that each data model searches against, to improve performance. By default, each data model searches all indexes.

  1. In Splunk Web, go to Apps > Manage Apps
  2. Click on Set up in the row for Splunk Common Information Model.
  3. Click on the Indexes tab.
  4. Select the data model that you want to modify
  5. Check the boxes for each index that this data model should search.
  6. If not all relevant indexes are shown, add additional indexes manually. Only indexes defined on your search head are displayed, so if you have additional indexes defined only on indexers or on an indexer cluster, click Edit Manually to list the indexes you want this data model to search. For example, (index="myindex_1" OR index="myindex_2" OR index="another_index").
  7. Click Save.

If you have constrained a data model to selected indexes and then later add another index to your environment that is also relevant to this data model, return to this page and add the new index to your constraints.

Accelerate CIM data models

You can accelerate a data model to speed up the data set represented by that data model for reporting purposes. After you accelerate a data model, your reports and dashboard panels that reference the accelerated data model will return results faster. A data model's summary range setting effects the size of the data models on disk, and the processing load of creating accelerated data alongside the index buckets. For more information about accelerating data models, see Enable data model acceleration in the Knowledge Manager Manual for Splunk Enterprise.

All data models included in the CIM add-on have data model acceleration disabled by default. If you have Splunk Enterprise Security or the Splunk App for PCI Compliance installed, some of the data models in the CIM are automatically accelerated by configuration settings in these apps. If you want to change which data models are accelerated by these apps, access the Data Model Acceleration Enforcement modular input on your search head and make your changes there. If you attempt to unaccelerate a data model using any other method, including using the Settings tab in the CIM Setup page, your changes will not persist because the the app acceleration enforcement re-accelerates the data models automatically.

If you are using the CIM without these apps installed, you can choose to accelerate one or more of the data models manually. To enable acceleration or change acceleration parameters, click the Settings tab in the CIM Setup page.

Enable data model acceleration

Configure the acceleration parameters of the CIM data models in the CIM Setup view.

  1. In Splunk Web, go to Apps > Manage Apps
  2. Click on Set up in the row for Splunk Common Information Model.
  3. Click on the Settings tab.
  4. Select a data model that you want to accelerate.
  5. Check the box next to Enable acceleration to accelerate the model.
  6. (Optional) Configure the advanced acceleration settings.

    Parameter Description More information
    Backfill time How far back in time the Splunk platform should create its column stores, specified as a relative time string. Only set this parameter if you want to backfill less data than the retention period set by Earliest time. Refer to datamodels.conf.spec for warnings and limitations. See datamodels.conf.spec and Advanced configurations for persistently accelerated data models in the Knowledge Manager Manual in the Splunk Enterprise documentation.
    Earliest time How far back in time the Splunk platform should keep these column stores, specified as a relative time string.
    Maximum time The maximum amount of time that the column store creation search is allowed to run, in seconds.
    Maximum concurrent searches The maximum number of concurrent acceleration instances for this data model that the scheduler is allowed to run.
    Manual rebuilds When checked, this setting prevents outdated summaries from being rebuilt by the 'summarize' command. Admins can manually rebuild a data model through the Data Model Manager page by expanding the row for the affected data model and clicking Rebuild.
    Schedule priority Raises the scheduling priority of a summary search, as follows:
    • default: No scheduling priority increase.
    • higher: Scheduling priority is higher than other data model searches.
    • highest: Scheduling priority is higher than other searches regardless of scheduling tier, except real-time-scheduled searches with priority = highest always have priority over all other searches.

    This field is only available in Splunk platform 6.5.X or later.

    Tags whitelist Restricts the tag attribute of the data model to specified tag values to improve performance. By default, the whitelists for each CIM data model contain the tags used as constraints for the child datasets as well as the tags used in any searches within the model. Do not remove these tags, or data model searches that rely on these tags will fail.

    You can add additional tags to this whitelist to accommodate how you have applied tags to your data. Add additional tags that you need to use to search and filter within searches for a data model.

    This field is only available in Splunk platform 6.6.X or later.

    		See datamodels.conf.spec and Set a tag whitelist for better data model search performance in the Knowledge Manager Manual in the Splunk Enterprise documentation.
  7. Click Save.

For more information about accelerated data models and data model acceleration jobs, see Check the status of data model accelerations in this topic.

Disable acceleration for a data model

If you have Splunk Enterprise Security or the Splunk App for PCI Compliance installed, some of the data models in the CIM are automatically accelerated by configuration settings in these apps. If you want to change which data models are accelerated by these apps, access the Data Model Acceleration Enforcement modular input on your search head and make your changes there. If you attempt to unaccelerate a data model using any other method, including using the Settings tab in the CIM Setup page, your changes will not persist because the the app acceleration enforcement re-accelerates the data models automatically.

If you do not have an app installed that enforces any CIM data models to be accelerated, you can edit the acceleration settings on the CIM Setup page.

  1. In Splunk Web, go to Apps > Manage Apps.
  2. Click on Set up in the row for Splunk Common Information Model.
  3. Click on the Settings tab.
  4. Select the data model for which you want to disable acceleration.
  5. Uncheck the box next to Enable acceleration to stop accelerating this data model.
  6. Click Save.

Change the summary range for data model accelerations

A data model's summary range setting affects the size of the data models on disk, and the processing load of creating accelerated data alongside the index buckets.

  1. In Splunk Web, go to Apps > Manage Apps.
  2. Find the Splunk Common Information Model add-on.
  3. Click Set up to open the CIM Setup page.
  4. Click the Settings tab.
  5. Select the data model you want to change.
  6. Set a summary range:
    1. Make sure that Enable acceleration is checked. A summary range only applies to accelerated data models.
    2. Review the Earliest time setting to determine the current summary range.
    3. Change the Earliest time setting. Examples: -1y, -3mon, -1mon, -1w, -1d, or 0 for "All Time".
  7. Click Save.

The CIM Setup page will only display CIM data models. A custom data model will not be displayed and cannot have its settings changed from the CIM Setup page. To change the summary range or other settings on a custom data model, manually edit the datamodels.conf provided with the app or add-on. For more information, see the datamodels.conf spec file in the Splunk Enterprise Admin Manual.

Check the status of data model accelerations

Use the Data Model Audit dashboard to display information about the state of data model accelerations in your environment. Alternatively, use the `cim_datamodelinfo` macro to search the data model statuses from the search bar.

To access the dashboard:

  1. Go to the Search and Reporting app.
  2. In the menu bar, click Dashboards.
  3. Select the Data Model Audit dashboard.
Panel Description
Top Accelerations By Size Displays the accelerated data models sorted in descending order by MB on disk
Top Accelerations By Run Duration Displays the accelerated data models sorted in descending order by the time spent on running acceleration tasks.
Acceleration Details Displays a table of the accelerated data models with additional information.
Last modified on 01 June, 2017
PREVIOUS
Install the Splunk Common Information Model Add-on 		  NEXT
Release notes for the Splunk Common Information Model Add-on

This documentation applies to the following versions of Splunk® Common Information Model Add-on: 4.8.0

Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters