All Apps and Add-ons

CIM Add-On or Application, which one is it?

OgoSplunkk
Engager

Why do so many people call the CIM Add-On an application? From everything that I learned so far wouldn't it just be considered an Add-On instead of an application? I need to understand this for testing purposes.

Labels (1)
0 Karma
1 Solution

PickleRick
SplunkTrust
SplunkTrust

The naming depends on the context.

From the Splunk "internals" point of view, an app is just a bunch of files packed together and a namespace in which those are placed. So anything you download from splunkbase or buld yourself is an app. Splunk also comes with several built-in apps like "search".

The other perspective is the traditional distinction between an "Add-On" which provides the "backend" functionality like inputs definition, extractions, calculated fields, aliases and so on and so on. And "Apps" which contain the user-facing components like reports and dashboards. But that's just a convention which is not always kept, especially by independent authors.

View solution in original post

0 Karma

thevikramyadav
Loves-to-Learn Lots

The Splunk Common Information Model (CIM) Add-On is often referred to as an application because it provides functionality beyond that of a typical add-on. While the CIM Add-On does function as an add-on in that it extends the capabilities of Splunk, it also provides pre-built dashboards, reports, and field extractions that are typically associated with applications.

The CIM Add-On is specifically designed to help users implement the CIM, which is a standard data model that enables users to normalize their data and correlate events across different data sources. As such, the CIM Add-On provides a set of pre-configured field extractions and tags that map to the CIM, making it easier for users to normalize their data.

In addition, the CIM Add-On also includes pre-built dashboards and reports that provide insights into security, network, and other operational data, which are features typically associated with applications.

Overall, while the CIM Add-On is technically an add-on, it is often referred to as an application because it provides a more comprehensive set of features and functionality than a typical add-on. Understanding this distinction may be important for testing purposes, particularly if you need to understand how the CIM Add-On interacts with other add-ons or applications in your Splunk environment.

0 Karma

PickleRick
SplunkTrust
SplunkTrust

Sorry, but this is just not true. CIM add-on does not on its own provide extractions nor contain any additional dashboards or reports apart from a few directly connected with the CIM state.

It provides a common (hence the name) standard to which the data should be normalized using add-ons specific for each separate types of source data.

PickleRick
SplunkTrust
SplunkTrust

The naming depends on the context.

From the Splunk "internals" point of view, an app is just a bunch of files packed together and a namespace in which those are placed. So anything you download from splunkbase or buld yourself is an app. Splunk also comes with several built-in apps like "search".

The other perspective is the traditional distinction between an "Add-On" which provides the "backend" functionality like inputs definition, extractions, calculated fields, aliases and so on and so on. And "Apps" which contain the user-facing components like reports and dashboards. But that's just a convention which is not always kept, especially by independent authors.

0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

 (view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...