Release notes for the Splunk Common Information Model Add-on
Version 5.1.0 of the Splunk Common Information Model Add-on was released on January 11, 2023.
New features
Version 5.1.0 of the Splunk Common Information Model Add-on includes the following new features:
New features | Description |
---|---|
Schema add: Endpoint DM is missing parent_process_hash field
|
|
Support added for adaptive response framework on search head cluster for Cloud in hybrid deployments | Added the process to ensure that the heavy forwarder requests for the modular action relay gets directed to the appropriate member of the search head cluster that initiates the adaptive response action. Code change for this is located in Splunk_SA_CIM/bin/relaymodaction.py .
|
Upgrade requirements
Splunk platform version | Upgrade activity |
---|---|
8.0.x or later | If you apply custom tags to data mapped to CIM data models and you use these tags in searches and search filters, add these tags to the allowlists for those models. See Set up the Splunk Common Information Model Add-on for details about the tags allow list field. |
Compatibility
Version 5.0.x of the Splunk Common Information Model Add-on requires Splunk platform version 8.0.x or later. Some workarounds, such as the datamodels spec workaround for tags_allowlist and poll_buckets, are no longer available in version 7.0.x and later. This might lead to btool check warnings at startup.
Fixed issues
This version of the Splunk Common Information Model Add-on fixes the following issues. If this section is empty, this release has no reported fixed issues.
Date resolved | Issue number | Description |
---|---|---|
2023-01-09 | CIM-1108 | Adaptive Response relay errors occur when polling a Splunk Cloud search head cluster that is configured with the Spunk_SA_CIM modular action worker. |
2022-11-17 | CIM-1047 | Endpoint DM is missing parent_process_hash field |
Limitations
If you are in a search head cluster environment on Splunk Cloud Platform, you might see error messages related to adaptive response actions. To troubleshoot these issues, see Troubleshoot adaptive response actions in search head cluster deployments on Splunk Cloud Platform.
Known issues
This version of the Splunk Common Information Model Add-on has the following reported known issues. If this section is empty, this release has no reported known issues.
Date filed | Issue number | Description |
---|---|---|
2023-03-13 | CIM-1156 | Description of the cim field "power" needs correction in the Performance.json Workaround: The description of field Template:Power in the Performance Data model is change to: {quote}Amount of power consumed by the facilities resource, in kW.{quote} |
2023-01-18 | CIM-1140 | ARR not working when actions sent from on-prem Splunk Search Head to on-prem HWF |
2022-11-28 | CIM-1128, SOLNESS-33830 | The parent_process_name field is not extracted correctly when events with data model are searched. |
Deprecated or removed features
The following are deprecated or removed features for the last seven versions.
As of version 5.1.0:
- N/A
As of version 5.0.1:
- N/A
As of version 5.0.0:
- N/A
As of version 4.20.2:
- N/A
As of version 4.20.0:
- N/A
As of version 4.19.0:
- N/A
As of version 4.18.0:
- The
body
field is deprecated in favor of thedescription
field in the Alerts data model and will be removed in a future version. - The
subject
field is deprecated in favor of thesignature
field in the Alerts data model and will be removed in a future version.
As of version 4.15.0:
- The Predictive Analytics dashboard is removed in favor of Machine Learning Toolkit functionality.
As of version 4.14.0:
- The Predictive Analytics dashboard is deprecated in favor of Machine Learning Toolkit functionality and will be removed in a future version.
As of version 4.13.0:
- N/A
Third-party software attributions
The Splunk Common Information Model Add-on does not incorporate any third-party software or libraries.
This documentation applies to the following versions of Splunk® Common Information Model Add-on: 5.1.0
Feedback submitted, thanks!