Release notes for the Splunk Common Information Model Add-on
Version 4.9.1 of the Splunk Common Information Model Add-on was released on October 17, 2017.
Version 4.9.x of the Splunk Common Information Model Add-on includes the following new features.
Setup page improvements
- The user experience for adding index constraints to data models has been improved.
- Choose whether to run acceleration searches until the maximum time is reached or not. This option can improve performance for some deployments.
Common action model improvements
- You can now use the ModularActionTimer class in the
cim_actions.pylibrary to report duration for your action. Update modular action scripts to use this script to continue to report duration for your actions. Modular action data is no longer retrieved from the
_internalindex and added to the Splunk Audit Logs data model. For an example script using the new class, see Example response action in the Splunk developer portal.
- The support for complex ad-hoc actions has been improved.
Data model improvements
- The Splunk Audit Logs model now includes a
componentfield to specify which part of a modular action script is involved in the event. For example, to specify the portion of the script that populates the duration field.
- The Change Analysis data model has updated descriptions for the
src_userfields for improved clarity. See Change Analysis.
Splunk_Audit.Search_Activitydataset is now a BaseEvent dataset instead of a BaseSearch dataset. As a result, you can use that dataset in a search with
tstats. Update searches with this dataset to account for the new format. For example, you can use the dataset in search:
| tstats count from datamodel=Splunk_Audit.Search_Activity where (Search_Activity.info="granted" OR (Search_Activity.info="completed" Search_Activity.search_type="subsearch")) by Search_Activity.search_type
| tstats summariesonly=true allow_old_summaries=true first(Search_Activity.search) as search,first(Search_Activity.total_run_time) as run_time,first(Search_Activity.user) as user from datamodel=Splunk_Audit.Search_Activity by Search_Activity.search_id | stats min(run_time),avg(run_time),max(run_time),values(user) as user,count by search | eval "min(run_time)"=round('min(run_time)', 1),"avg(run_time)"=round('avg(run_time)', 1),"max(run_time)"=round('max(run_time)', 1) | sort 500 - "avg(run_time)"
|Splunk platform version||Upgrade activity|
|6.6.X or later||If you apply custom tags to data mapped to CIM data models and you use these tags in searches and search filters, add these tags to the whitelists for those models. See Set up the Splunk Common Information Model Add-on for details about the tags whitelist field.|
|6.5.X or earlier||No upgrade activity required.|
Version 4.9.x of the Splunk Common Information Model Add-on requires Splunk platform version 6.4.x or later. Some functions on the CIM setup page, such as the accelerate until max time setting, are only available in version 6.6.x and later.
This version of the Splunk Common Information Model Add-on fixes the following issues.
|Date resolved||Issue number||Description|
|2017-10-09||CIM-575||CIM Standalone: Setup page is broken|
|2017-09-18||CIM-571, CIM-577||Python logging is not user-timezone agnostic.|
This version of the Splunk Common Information Model Add-on has the following reported known issues.
|Date filed||Issue number||Description|
|2018-08-15||CIM-717||Compute_Inventory datamodel missing tag=interactive in whitelist|
|2018-01-10||CIM-616||CIM 4.8+ causes "guided search" build_id errors in Enterprise Security.|
Upgrade to Enterprise Security 4.7.x or higher
|2017-11-01||CIM-584, CIM-601||Setup View (cim_setup) does not work on 6.4.x.|
Use Splunk Enterprise 6.5.x or higher.
Use Splunk Enterprise Settings to update data models and macros.
|2017-10-31||CIM-583||Network Resolution data model has multiple references to reply_code_id field|
|2016-10-05||CIM-433||btool error: Invalid key in stanza lookup:cam_category_lookup in Splunk_SA_CIM.|
Edit SA-Utils/README/managed_configurations.conf.spec to include this entry at the very end (under the lookups stanza):
expose = [0|1] * Whether to expose the contents of file backed lookups * Exposes contents via eai:data * Optional.
|2016-09-16||CIM-428, SPL-128919||sendalert reflects owner="system" for adhoc action invocations|
|2016-07-08||CIM-383||Setup screen shows "I am legend" or "Unable to render setup" on 6.4.x|
Delete the setup.xml file (usually left over from a previous version) from the Splunk_SA_CIM/default folder and browse to the "cim_setup" view directly.
|2014-07-07||CIM-169||Remote search log warning messages from acceleration due to long search strings|
Turn off truncation on indexers in
- As of version 4.5.0, the index definition
cim_summaryis deprecated and is only used to support backward compatibility with upgraded versions of Enterprise Security. The index definition will be removed in a future release.
- Several configurations are deprecated and will be removed in a future release.
- Several previously-deprecated configurations are removed in this release.
Third-party software attributions
The Splunk Common Information Model Add-on does not incorporate any third-party software or libraries.
Set up the Splunk Common Information Model Add-on
Support and resource links for the Splunk Common Information Model Add-on
This documentation applies to the following versions of Splunk® Common Information Model Add-on: 4.9.1