topic Re: How to modify data model in CIM without doing so directly in CIM? in Splunk Enterprise Security

How to modify data model in CIM without doing so directly in CIM?

lukasmecir — Sun, 07 Jun 2020 16:10:54 GMT

Hello,

I have a question about modification of data model in CIM:

I would like to add one child dataset to DM "Change". Can I do it by separate application?

What I mean exactly: If I create a modified Change.json file with a new dataset, place it to separate app (eg. my_change_dm) and place this app to $splunk_home/etc/apps directory - will my modified JSON file merge with Change.json in Splunk_SA_CIM app?
Or is there another way to modify DM in CIM without modifying it directly in the Splunk_SA_CIM app?

I know that I can modify DM directly in Splunk_SA_CIM, but for some reason I need to make some research.
Thank you very much for any info.

Regards,
Lukas Mecir

Re: How to modify data model in CIM without doing so directly in CIM?

richgalloway — Wed, 30 Sep 2020 05:25:06 GMT

Try it. It should work, except I believe you'll need to define the entire data model in your custom JSON file since I doubt Splunk will merge them. Be sure to name your app so it comes before Splunk_SA_CIM. Also, be aware that your changes will trump any future updates to that DM by the CIM app.

Re: How to modify data model in CIM without doing so directly in CIM?

woodcock — Thu, 14 May 2020 19:56:02 GMT

You don't need your own app, but definitely do not edit the existing datamodel. Just clone it and call it something like Change_Clone and then do whatever you would like. Keep them totally separate and only use the clone.

Re: How to modify data model in CIM without doing so directly in CIM?

lukasmecir — Fri, 15 May 2020 07:16:48 GMT

Thank you for your answer. I tried and you are right - entire DM must be defined in custom app and Splunk do not merge content of JSON files.

Re: How to modify data model in CIM without doing so directly in CIM?

lukasmecir — Fri, 15 May 2020 07:20:36 GMT

Hi Gregg, thank you for your answer. Just for clarification - the cloned data model "Change_Clone" will not be used by out-of-the-box reports and dashboards etc. in Splunk ES, because they are not aware of it (they are aware of out-of-the-box DM "Change" only), am I right? This is not problem for me now, I just would like clarify this.

Re: How to modify data model in CIM without doing so directly in CIM?

lukasmecir — Wed, 30 Sep 2020 05:25:18 GMT

And another question - when you say "do not edit the existing datamodel", what do you exactly mean? Do you mean that I should not change Change.json file in Splunk_SA_CIM/default dir, or I should not change it at all (even if I change it by putting modified Change.json to Splunk_SA_CIM/local dir)?

Re: How to modify data model in CIM without doing so directly in CIM?

woodcock — Sat, 16 May 2020 00:21:40 GMT

Yes, you are correct but the majority of use-cases in Splunk require adjusting and tuning to work right for each client so you are most-likely going to modify just about everything that you use in ES anyway so changing from one datamodel to another is not a big deal.

Re: How to modify data model in CIM without doing so directly in CIM?

woodcock — Sat, 16 May 2020 00:22:08 GMT

Correct. Do not change the JSON files. Changing datamodels.conf is fine.