Solved: Indexes searched by CIM data models

richkappler · ‎12-18-2017

Need clarification. In Manage Apps>Splunk_SA_CIM>CIM Setup, I have a list of all the data models and table with all the indexes I have available, with a checkbox next to each.

At the top it says: By default a datamodel will search across all indexes. Use the configuration panel below to constrain data model searches to specific indexes.

Does checking the checkbox next to an index exclude or include it?

rpille_splunk · ‎12-18-2017

It includes that index and excludes all others.

It's either "search all by default if none are selected" or "search only these ones that I have selected."

View solution in original post

rpille_splunk · ‎12-18-2017

It includes that index and excludes all others.

It's either "search all by default if none are selected" or "search only these ones that I have selected."

richkappler · ‎12-18-2017

how can I "EXCLUDE" a single specific index? Only by checking the box for all the others?

micahkemp · ‎12-18-2017

Look at macros.conf in the CIM app. There is a macro for each datamodel, which defaults to some incantation of everything. You can set this to a search that excludes indexes, or includes, or whatever else you want to put in there that is a valid search.

Indexes searched by CIM data models

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Combine Multiline Logs into a Single Event with SOCK: a Step-by-Step Guide for ...