All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

CIM is not getting validated after Splunk upgrade from 6.3 to 6.4.1

bagarwal
Path Finder
‎06-19-2016 09:26 PM

I have upgraded Splunk from 6.3 to 6.4.1 and I found CIM validation is not looking good (Refer below screen shot). It is showing event coverage less than 90 % and CIM is not validated. However, before upgrading, it was well and good for the corresponding fields (Refer 2nd screen shot below).

I am not sure where went wrong and why CIM is not validating the events. If anyone can please help me out, it would be of great help. Thanks in advance.

alt text

alt text

Preview file
1 KB
Preview file
1 KB
0 Karma
Reply

doksu
Contributor
‎06-26-2016 10:00 PM

This is caused by Enterprise Security's app import regex: https://github.com/doksu/splunk_auditd/wiki/Release-Notes#known-issues

I would suggest creating a local app_regex in the Enterprise Security app:

SplunkEnterpriseSecuritySuite/local/inputs.conf:

[app_imports_update://update_es]
app_regex = (appsbrowser)|(search)|([ST]A-.*)|(Splunk_[ST]A_.*)|(DA-ESS-.*)|(Splunk_DA-ESS_.*)|(TA_.*)
disabled = 0

Please see https://github.com/doksu/splunk_auditd/issues/11 for more discussion about the issue.

0 Karma
Reply

doksu
Contributor
‎06-21-2016 08:09 PM

Which version of the TA_linux-auditd app is installed?

Which version of the CIM app is installed?

If you run the search: eventtype=auditd_events in "Smart Mode", do you see the normal list of fields on the left-hand side?

0 Karma
Reply

bagarwal
Path Finder
‎06-22-2016 09:52 PM

Which version of the TA_linux-auditd app is installed?
Current Application: Linux Auditd
App Version
2.0.2

Which version of the CIM app is installed?

Target CIM version: 4.3.1

Current Application: SA-cim_validator
App Version
1.0
App Build
1

If you run the search: eventtype=auditd_events in "Smart Mode", do you see the normal list of fields on the left-hand side?
Yes, can see only on Search & Reporting app and Linux_auditd app. But there is no search result in CIM app and ES app.

Please help.

0 Karma
Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...