I am trying to map vulnerability scan data to the Vulnerability datamodel via Add-on Builder. The mapping works fine, until I accelerate the datamodel. When I do, if I try to map a new field via AoB, I get the following error and the Vulnerability datamodel is not viewable.
Looking into the log, i see this:
2018-06-11 13:44:41,594 ERROR pid=127592 tid=CP WSGIServer Thread-18 file=cimutil.py:getmodelattr:147 | The attribute "comment" is required in each model object.
I have not made any changes to the datamodel. After looking into the file structure of the CIM app, when the datamodel is accelerated, it creates a new Vulnerabilities.json under local. This file is different from the one under the default folder as it does not have the comment field populated. The only way i can map a new field via AoB, is to disable acceleration and delete the local copy of Vulnerabilities.json.
So it is clear why AoB is erroring out, but what i dont understand is WHY is this happening? Is this jsut a side effect of dm acceleration that I need to live with? Is there a solution or workaround? I have tried this on 2 seperate Splunk instances with the same results.
This is the known issue of CIM app. AoB requires some fields such as "comments", and CIM app added them from 7.x. However, if there are some customized contents in local folder, it will rollback to the version which doesn't contain these fields. Seems like CIM app has inconsistent behavior between frontend & backend codes.
As a test, upgraded to 7.1.1 (previous 6.6.2) and the issue no longer exists. Accelerating the data model no longer creates anything under local, and as a result, dm mapping doesnt break in AoB.
The current symptom is more relevant to default value of returned event of Splunk rest api, in this case, "services/data/models" without specifying "count" parameter.
The relevant rest api is referenced in the following python script and by default, the rest api retrieves 30 items.
Please check how many data models are with global permission in the affected Search Head where AoB(Addon Builder is installed) by clicking "Settings" -> "Data models" and count the number of Datamodels with "Global" under "Sharing" field(the very end).
If "Vulnerabilities" or "Web" data models are displayed at the end(beyond 30th), that might be the cause of this symptom.
Changing the permission a couple of data models(which are not being used) from global to app, so that "Vulnerabilities" or "Web" data model can be returned within the first 30 items from "services/data/models" rest api without "count" parameter.