All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

SSE v3.1.2 CIM compliance check returns only 2 compliant fields

Suirand1
Explorer
‎07-28-2020 07:46 AM

I am very new to Splunk. Using Universal forwarder I send windows application, security, system, sysmon logs to SSE app. I followed SSE provided all data onboarding guides for indexes , sources, sourcetypes configuration. I successfully run automated introspection in data inventory dashboard. However when i run CIM Compliance Check I get only 2 compliant fields for Microsoft products. SPL searches also fail since I am missing some fieldnames which are provided in Security content. I have TA-windows and TA-sysmon installed in UF and Searched. Logs gets parsed as XML data by these TA

If I understand correctly I am missing some CIM datamodel. Could you explain where to find and how to apply the right CIM data model for this app.

Labels (1)
Labels
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎07-28-2020 01:00 PM
If you have a separate indexer, be sure to install TAs there as well as on the search head and forwarder.
Have you installed the Common Information Model app?
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

Suirand1
Explorer
‎07-28-2020 11:06 PM

Indexer and search head is the same VM.  Common Information Model app along with SA-cim_vladiator are installed. 

Do not know how to debug. Is there any additional configuration needed for my setup and SSE app?

P.S. I have noticed in DATA Inventory dashboard that my products "Status" do not get "Completed".  It allways stays in "Analyzing CIM and Event Size" status.

0 Karma
Reply

marcovigilante
Observer
‎03-18-2021 04:30 AM

Hi,
did you find any fix about this issue? I've managed to edit the "complete" and "all-done" status within the kvstore, but this can't be the only fix to do.

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎07-29-2020 06:21 AM
I'm not sure what else you should do.
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

.conf25 Community Recap

Hello Splunkers, And just like that, .conf25 is in the books! What an incredible few days — full of learning, ...

Splunk App Developers | .conf25 Recap & What’s Next

If you stopped by the Builder Bar at .conf25 this year, thank you! The retro tech beer garden vibes were ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...