Splunk® Common Information Model Add-on

Common Information Model Add-on Manual

This documentation does not apply to the most recent version of Splunk® Common Information Model Add-on. For documentation on the most recent version, go to the latest release.

Release notes for the Splunk Common Information Model Add-on

Version 4.9.0 of the Splunk Common Information Model Add-on was released on September 22, 2017.

New features

Version 4.9.0 of the Splunk Common Information Model Add-on includes the following new features.

Setup page improvements

  • Improved user experience for adding index constraints to data models.
  • Choose whether to run acceleration searches until the maximum time is reached or not. This option can improve performance for some deployments.

See Set up the Splunk Common Information Model Add-on.

Common action model improvements

  • You can now use the ModularActionTimer class in the cim_actions.py library to report duration for your action. Update modular action scripts to use this script to continue to report duration for your actions. Modular action data is no longer retrieved from the _internal index and added to the Splunk Audit Logs data model. For an example script using the new class, see Example response action in the Splunk developer portal.
  • Improved support for complex ad-hoc actions.

Data model improvements

  • The Splunk Audit Logs model now includes a component field to specify which part of a modular action script is involved in the event. For example, to specify the portion of the script that populates the duration field.
  • Updated descriptions for the user and src_user fields in the Change Analysis data model for clarity. See Change Analysis.
  • The Splunk_Audit.Search_Activity dataset is now a BaseEvent dataset instead of a BaseSearch dataset. As a result, you can use that dataset in a search with tstats. Update searches with this dataset to account for the new format. For example, you can use the dataset in search:

| tstats count from datamodel=Splunk_Audit.Search_Activity where (Search_Activity.info="granted" OR (Search_Activity.info="completed" Search_Activity.search_type="subsearch")) by Search_Activity.search_type

| tstats `summariesonly` first(Search_Activity.search) as search,first(Search_Activity.total_run_time) as run_time,first(Search_Activity.user) as user from datamodel=Splunk_Audit.Search_Activity by Search_Activity.search_id | stats min(run_time),avg(run_time),max(run_time),values(user) as user,count by search | eval "min(run_time)"=round('min(run_time)', 1),"avg(run_time)"=round('avg(run_time)', 1),"max(run_time)"=round('max(run_time)', 1) | sort 500 - "avg(run_time)"

Upgrade requirements

Splunk platform version Upgrade activity
6.6.X or later If you apply custom tags to data mapped to CIM data models and you use these tags in searches and search filters, add these tags to the whitelists for those models. See Set up the Splunk Common Information Model Add-on for details about the tags whitelist field.
6.5.X or earlier No upgrade activity required.

Compatibility

Version 4.9.0 of the Splunk Common Information Model Add-on requires Splunk platform version 6.4.x or later. Some functions on the CIM setup page, such as the accelerate until max time setting, are only available in version 6.6.x and later.

Fixed issues

This version of the Splunk Common Information Model Add-on fixes the following issues.


Date resolved Issue number Description
2017-09-07 CIM-565 stash_common_action_model sourcetype does not properly extract timestamps
2017-08-14 CIM-555 Performance data model: "success" and "failure" tags missing from "tags_whitelist"
2017-07-24 CIM-550 Tag "unauthorized-device" missing from Intrusion_Detection whitelist
2017-07-21 CIM-549 Indexes with hyphen are not persisted on the setup page even after saved
2017-06-28 CIM-413 CIM setup page does not pick up indexes from index cluster
2017-05-23 CIM-370 CIM DNS reply codes lookup does not match IANA
2017-05-18 CIM-544 Common Action Model: Double quotes are not escaped for search_name in result2stash

Known issues

This version of the Splunk Common Information Model Add-on has the following reported known issues.

Date filed Issue number Description
2018-12-05 CIM-784 Common Action Model calculates info_file incorrectly when using per-result alerting
2018-01-10 CIM-616 CIM 4.8+ causes "guided search" build_id errors in Enterprise Security.

Workaround:
Upgrade to Enterprise Security 4.7.x or higher
2017-11-01 CIM-584, CIM-601 Setup View (cim_setup) does not work on 6.4.x.

Workaround:
Use Splunk Enterprise 6.5.x or higher.

Use Splunk Enterprise Settings to update data models and macros.

2017-10-31 CIM-583 Network Resolution data model has multiple references to reply_code_id field
2017-09-27 CIM-575 CIM Standalone: Setup page is broken

Workaround:
Expose macros in web.conf.
  1. Create a local web.conf file: $SPLUNK_HOME/etc/apps/Splunk_SA_CIM/local/web.conf"
  2. Place the following lines in the file:
[expose:admin_macros]
pattern = admin/macros

[expose:admin_macros_ELEMENT]
pattern = admin/macros/*
methods = GET,POST


2017-09-14 CIM-571, CIM-577 Python logging is not user-timezone agnostic.
2016-10-05 CIM-433 btool error: Invalid key in stanza lookup:cam_category_lookup in Splunk_SA_CIM.

Workaround:
Edit SA-Utils/README/managed_configurations.conf.spec to include this entry at the very end (under the lookups stanza): 
expose = [0|1]
   * Whether to expose the contents of file backed lookups
   * Exposes contents via eai:data
   * Optional.
2016-09-16 CIM-428, SPL-128919 sendalert reflects owner="system" for adhoc action invocations
2016-07-08 CIM-383 Setup screen shows "I am legend" or "Unable to render setup" on 6.4.x

Workaround:
Delete the setup.xml file (usually left over from a previous version) from the Splunk_SA_CIM/default folder and browse to the "cim_setup" view directly.
2014-07-07 CIM-169 Remote search log warning messages from acceleration due to long search strings

Workaround:
Turn off truncation on indexers in etc/system/local/props.conf as shown:

[splunkd_remote_searches]
TRUNCATE = 0

Deprecated features

  • As of version 4.5.0, the index definition cim_summary is deprecated and is only used to support backward compatibility with upgraded versions of Enterprise Security. The index definition will be removed in a future release.
  • Several configurations are deprecated and will be removed in a future release.
    • `search_activity` macro
    • `search_typer` macro
    • datamodel_for_audittrail transform
    • savedsearch_name_for_audittrail transform
    • user_for_audittrail transform

Removed features

  • Several previously-deprecated configurations are removed in this release.
    • `search_head_pool` macro
    • mode_for_audittrail transform
    • size_for_audittrail transform

Third-party software attributions

The Splunk Common Information Model Add-on does not incorporate any third-party software or libraries.

Last modified on 20 December, 2018
Set up the Splunk Common Information Model Add-on   Support and resource links for the Splunk Common Information Model Add-on

This documentation applies to the following versions of Splunk® Common Information Model Add-on: 4.9.0

Acrobat logo Download manual
Acrobat logo Download this page

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters