Release notes for the Splunk Common Information Model Add-on
Version 4.9.0 of the Splunk Common Information Model Add-on was released on September 22, 2017.
Version 4.9.0 of the Splunk Common Information Model Add-on includes the following new features.
Setup page improvements
- Improved user experience for adding index constraints to data models.
- Choose whether to run acceleration searches until the maximum time is reached or not. This option can improve performance for some deployments.
Common action model improvements
- You can now use the ModularActionTimer class in the
cim_actions.pylibrary to report duration for your action. Update modular action scripts to use this script to continue to report duration for your actions. Modular action data is no longer retrieved from the
_internalindex and added to the Splunk Audit Logs data model. For an example script using the new class, see Example response action in the Splunk developer portal.
- Improved support for complex ad-hoc actions.
Data model improvements
- The Splunk Audit Logs model now includes a
componentfield to specify which part of a modular action script is involved in the event. For example, to specify the portion of the script that populates the duration field.
- Updated descriptions for the
src_userfields in the Change Analysis data model for clarity. See Change Analysis.
Splunk_Audit.Search_Activitydataset is now a BaseEvent dataset instead of a BaseSearch dataset. As a result, you can use that dataset in a search with
tstats. Update searches with this dataset to account for the new format. For example, you can use the dataset in search:
| tstats count from datamodel=Splunk_Audit.Search_Activity where (Search_Activity.info="granted" OR (Search_Activity.info="completed" Search_Activity.search_type="subsearch")) by Search_Activity.search_type
| tstats `summariesonly` first(Search_Activity.search) as search,first(Search_Activity.total_run_time) as run_time,first(Search_Activity.user) as user from datamodel=Splunk_Audit.Search_Activity by Search_Activity.search_id | stats min(run_time),avg(run_time),max(run_time),values(user) as user,count by search | eval "min(run_time)"=round('min(run_time)', 1),"avg(run_time)"=round('avg(run_time)', 1),"max(run_time)"=round('max(run_time)', 1) | sort 500 - "avg(run_time)"
|Splunk platform version||Upgrade activity|
|6.6.X or later||If you apply custom tags to data mapped to CIM data models and you use these tags in searches and search filters, add these tags to the whitelists for those models. See Set up the Splunk Common Information Model Add-on for details about the tags whitelist field.|
|6.5.X or earlier||No upgrade activity required.|
Version 4.9.0 of the Splunk Common Information Model Add-on requires Splunk platform version 6.4.x or later. Some functions on the CIM setup page, such as the accelerate until max time setting, are only available in version 6.6.x and later.
This version of the Splunk Common Information Model Add-on fixes the following issues.
|Date resolved||Issue number||Description|
|2017-09-07||CIM-565||stash_common_action_model sourcetype does not properly extract timestamps|
|2017-08-14||CIM-555||Performance data model: "success" and "failure" tags missing from "tags_whitelist"|
|2017-07-24||CIM-550||Tag "unauthorized-device" missing from Intrusion_Detection whitelist|
|2017-07-21||CIM-549||Indexes with hyphen are not persisted on the setup page even after saved|
|2017-06-28||CIM-413||CIM setup page does not pick up indexes from index cluster|
|2017-05-23||CIM-370||CIM DNS reply codes lookup does not match IANA|
|2017-05-18||CIM-544||Common Action Model: Double quotes are not escaped for search_name in result2stash|
This version of the Splunk Common Information Model Add-on has the following reported known issues.
|Date filed||Issue number||Description|
|2018-12-05||CIM-784||Common Action Model calculates info_file incorrectly when using per-result alerting|
|2018-01-10||CIM-616||CIM 4.8+ causes "guided search" build_id errors in Enterprise Security.|
Upgrade to Enterprise Security 4.7.x or higher
|2017-11-01||CIM-584, CIM-601||Setup View (cim_setup) does not work on 6.4.x.|
Use Splunk Enterprise 6.5.x or higher.
Use Splunk Enterprise Settings to update data models and macros.
|2017-10-31||CIM-583||Network Resolution data model has multiple references to reply_code_id field|
|2017-09-27||CIM-575||CIM Standalone: Setup page is broken|
Expose macros in web.conf.
[expose:admin_macros] pattern = admin/macros [expose:admin_macros_ELEMENT] pattern = admin/macros/* methods = GET,POST
|2017-09-14||CIM-571, CIM-577||Python logging is not user-timezone agnostic.|
|2016-10-05||CIM-433||btool error: Invalid key in stanza lookup:cam_category_lookup in Splunk_SA_CIM.|
Edit SA-Utils/README/managed_configurations.conf.spec to include this entry at the very end (under the lookups stanza):
expose = [0|1] * Whether to expose the contents of file backed lookups * Exposes contents via eai:data * Optional.
|2016-09-16||CIM-428, SPL-128919||sendalert reflects owner="system" for adhoc action invocations|
|2016-07-08||CIM-383||Setup screen shows "I am legend" or "Unable to render setup" on 6.4.x|
Delete the setup.xml file (usually left over from a previous version) from the Splunk_SA_CIM/default folder and browse to the "cim_setup" view directly.
|2014-07-07||CIM-169||Remote search log warning messages from acceleration due to long search strings|
Turn off truncation on indexers in
- As of version 4.5.0, the index definition
cim_summaryis deprecated and is only used to support backward compatibility with upgraded versions of Enterprise Security. The index definition will be removed in a future release.
- Several configurations are deprecated and will be removed in a future release.
- Several previously-deprecated configurations are removed in this release.
Third-party software attributions
The Splunk Common Information Model Add-on does not incorporate any third-party software or libraries.
Set up the Splunk Common Information Model Add-on
Support and resource links for the Splunk Common Information Model Add-on
This documentation applies to the following versions of Splunk® Common Information Model Add-on: 4.9.0