All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Accelerating Datamodel Breaks Datamodel mapping in Add-on Builder

david_rose
Communicator
‎06-11-2018 12:03 PM

I am trying to map vulnerability scan data to the Vulnerability datamodel via Add-on Builder. The mapping works fine, until I accelerate the datamodel. When I do, if I try to map a new field via AoB, I get the following error and the Vulnerability datamodel is not viewable.

alt text

Looking into the log, i see this:
2018-06-11 13:44:41,594 ERROR pid=127592 tid=CP WSGIServer Thread-18 file=cim_util.py:_get_model_attr:147 | The attribute "comment" is required in each model object.

I have not made any changes to the datamodel. After looking into the file structure of the CIM app, when the datamodel is accelerated, it creates a new Vulnerabilities.json under local. This file is different from the one under the default folder as it does not have the comment field populated. The only way i can map a new field via AoB, is to disable acceleration and delete the local copy of Vulnerabilities.json.

So it is clear why AoB is erroring out, but what i dont understand is WHY is this happening? Is this jsut a side effect of dm acceleration that I need to live with? Is there a solution or workaround? I have tried this on 2 seperate Splunk instances with the same results.

Preview file
1 KB
Reply

kheo_splunk
Splunk Employee
Splunk Employee
‎07-06-2019 10:47 PM

The current symptom is more relevant to default value of returned event of Splunk rest api, in this case, "services/data/models" without  specifying "count" parameter.

The relevant rest api is referenced in the following python script and by default, the rest api retrieves 30 items.

$SPLUNK_HOME/etc/apps/splunk_app_addon-builder/bin/tabuilder_utility/ko_util/cim_util.py 

def _get_cim_by_rest(service):

    url = "/services/data/models"

Please check how many data models are with global permission in the affected Search Head where AoB(Addon Builder is installed) by clicking "Settings" -> "Data models" and count the number of Datamodels with "Global" under "Sharing" field(the very end).

If "Vulnerabilities" or "Web" data models are displayed at the end(beyond 30th), that might be the cause of this symptom. 

Changing the permission a couple of data models(which are not being used) from global to app, so that "Vulnerabilities" or "Web" data model can be returned within the first 30 items from  "services/data/models" rest api without "count" parameter.

0 Karma
Reply

david_rose
Communicator
‎06-12-2018 07:47 AM

As a test, upgraded to 7.1.1 (previous 6.6.2) and the issue no longer exists. Accelerating the data model no longer creates anything under local, and as a result, dm mapping doesnt break in AoB.

Reply

chli_splunk
Splunk Employee
Splunk Employee
‎06-12-2018 09:16 AM

Good to know CIM fixed that issue.

0 Karma
Reply

chli_splunk
Splunk Employee
Splunk Employee
‎06-11-2018 10:00 PM

This is the known issue of CIM app. AoB requires some fields such as "comments", and CIM app added them from 7.x. However, if there are some customized contents in local folder, it will rollback to the version which doesn't contain these fields. Seems like CIM app has inconsistent behavior between frontend & backend codes.

Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...