Splunk® Common Information Model Add-on

Common Information Model Add-on Manual

Download manual as PDF

This documentation does not apply to the most recent version of CIM. Click here for the latest version.
Download topic as PDF

Release notes for the Splunk Common Information Model Add-on

Version 4.9.1 of the Splunk Common Information Model Add-on was released on October 17, 2017.

New features

Version 4.9.x of the Splunk Common Information Model Add-on includes the following new features.

Setup page improvements

  • The user experience for adding index constraints to data models has been improved.
  • Choose whether to run acceleration searches until the maximum time is reached or not. This option can improve performance for some deployments.

See Set up the Splunk Common Information Model Add-on.

Common action model improvements

  • You can now use the ModularActionTimer class in the cim_actions.py library to report duration for your action. Update modular action scripts to use this script to continue to report duration for your actions. Modular action data is no longer retrieved from the _internal index and added to the Splunk Audit Logs data model. For an example script using the new class, see Example response action in the Splunk developer portal.
  • The support for complex ad-hoc actions has been improved.

Data model improvements

  • The Splunk Audit Logs model now includes a component field to specify which part of a modular action script is involved in the event. For example, to specify the portion of the script that populates the duration field.
  • The Change Analysis data model has updated descriptions for the user and src_user fields for improved clarity. See Change Analysis.
  • The Splunk_Audit.Search_Activity dataset is now a BaseEvent dataset instead of a BaseSearch dataset. As a result, you can use that dataset in a search with tstats. Update searches with this dataset to account for the new format. For example, you can use the dataset in search:

    | tstats count from datamodel=Splunk_Audit.Search_Activity where (Search_Activity.info="granted" OR (Search_Activity.info="completed" Search_Activity.search_type="subsearch")) by Search_Activity.search_type

    | tstats summariesonly=true allow_old_summaries=true first(Search_Activity.search) as search,first(Search_Activity.total_run_time) as run_time,first(Search_Activity.user) as user from datamodel=Splunk_Audit.Search_Activity by Search_Activity.search_id | stats min(run_time),avg(run_time),max(run_time),values(user) as user,count by search | eval "min(run_time)"=round('min(run_time)', 1),"avg(run_time)"=round('avg(run_time)', 1),"max(run_time)"=round('max(run_time)', 1) | sort 500 - "avg(run_time)"

Upgrade requirements

Splunk platform version Upgrade activity
6.6.X or later If you apply custom tags to data mapped to CIM data models and you use these tags in searches and search filters, add these tags to the whitelists for those models. See Set up the Splunk Common Information Model Add-on for details about the tags whitelist field.
6.5.X or earlier No upgrade activity required.

Compatibility

Version 4.9.x of the Splunk Common Information Model Add-on requires Splunk platform version 6.4.x or later. Some functions on the CIM setup page, such as the accelerate until max time setting, are only available in version 6.6.x and later.

Fixed issues

This version of the Splunk Common Information Model Add-on fixes the following issues.

Date resolved Issue number Description
2017-10-09 CIM-575 CIM Standalone: Setup page is broken
2017-09-18 CIM-571, CIM-577 Python logging is not user-timezone agnostic.

Known issues

This version of the Splunk Common Information Model Add-on has the following reported known issues.

Date filed Issue number Description
2018-08-15 CIM-717 Compute_Inventory datamodel missing tag=interactive in whitelist
2018-01-10 CIM-616 CIM 4.8+ causes "guided search" build_id errors in Enterprise Security.

Workaround:
Upgrade to Enterprise Security 4.7.x or higher
2017-11-01 CIM-584, CIM-601 Setup View (cim_setup) does not work on 6.4.x.

Workaround:
Use Splunk Enterprise 6.5.x or higher.

Use Splunk Enterprise Settings to update data models and macros.

2017-10-31 CIM-583 Network Resolution data model has multiple references to reply_code_id field
2016-10-05 CIM-433 btool error: Invalid key in stanza lookup:cam_category_lookup in Splunk_SA_CIM.

Workaround:
Edit SA-Utils/README/managed_configurations.conf.spec to include this entry at the very end (under the lookups stanza):
expose = [0|1]
   * Whether to expose the contents of file backed lookups
   * Exposes contents via eai:data
   * Optional.
2016-09-16 CIM-428, SPL-128919 sendalert reflects owner="system" for adhoc action invocations
2016-07-08 CIM-383 Setup screen shows "I am legend" or "Unable to render setup" on 6.4.x

Workaround:
Delete the setup.xml file (usually left over from a previous version) from the Splunk_SA_CIM/default folder and browse to the "cim_setup" view directly.
2014-10-10 CIM-226, CIM-202 In Ticket Management, field "dest" should be used for the machine that the ticket concerns.
2014-07-07 CIM-169 Remote search log warning messages from acceleration due to long search strings

Workaround:
Turn off truncation on indexers in etc/system/local/props.conf as shown:

[splunkd_remote_searches]
TRUNCATE = 0


Deprecated features

  • As of version 4.5.0, the index definition cim_summary is deprecated and is only used to support backward compatibility with upgraded versions of Enterprise Security. The index definition will be removed in a future release.
  • Several configurations are deprecated and will be removed in a future release.
    • `search_activity` macro
    • `search_typer` macro
    • datamodel_for_audittrail transform
    • savedsearch_name_for_audittrail transform
    • user_for_audittrail transform

Removed features

  • Several previously-deprecated configurations are removed in this release.
    • `search_head_pool` macro
    • mode_for_audittrail transform
    • size_for_audittrail transform

Third-party software attributions

The Splunk Common Information Model Add-on does not incorporate any third-party software or libraries.

PREVIOUS
Set up the Splunk Common Information Model Add-on
  NEXT
Support and resource links for the Splunk Common Information Model Add-on

This documentation applies to the following versions of Splunk® Common Information Model Add-on: 4.9.1


Comments

Sorry about the mismatch with the `summariesonly` macro, DUThibault. It is part of SA-Utils, an app included with Splunk Enterprise Security. The `summariesonly` macro is a macro that does:
summariesonly=true allow_old_summaries=true
for your search.

Smoir splunk, Splunker
November 29, 2017

What is the `summariesonly` macro appearing in the last example? It's not part of Splunk_SA_CIM.

DUThibault
November 28, 2017

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters