All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Should the Splunk Common Information Model Add-on go onto indexers only, or should it be installed on forwarders and search heads too?

pj_0b
Engager
‎11-23-2014 03:55 PM
 
Reply
1 Solution
Solved! Jump to solution
Solution

LukeMurphey
Champion
‎11-24-2014 12:15 PM

Install it on your search heads.

It is important that you don't install it on indexers because you can cause the indexers to do double work accelerating the data if you enable data-model acceleration.

If you have it on the search head only, the search head will request acceleration to the indexers and the indexers will begin accelerating the data on behalf of the search-head. If you have the CIM app on the indexers too, then the indexers will accelerate the data for the search head and they will attempt to accelerate if for themselves (they won't recognize the accelerated data already exists since the search head requested it).

View solution in original post

Reply
Solved! Jump to solution

LukeMurphey
Champion
‎11-24-2014 02:14 PM

I'm going to follow-up and make sure that the docs cover this more clearly. Looking at the docs now, this isn't clear at all. Good question.

0 Karma
Reply
Solved! Jump to solution
Solution

LukeMurphey
Champion
‎11-24-2014 12:15 PM

Install it on your search heads.

It is important that you don't install it on indexers because you can cause the indexers to do double work accelerating the data if you enable data-model acceleration.

If you have it on the search head only, the search head will request acceleration to the indexers and the indexers will begin accelerating the data on behalf of the search-head. If you have the CIM app on the indexers too, then the indexers will accelerate the data for the search head and they will attempt to accelerate if for themselves (they won't recognize the accelerated data already exists since the search head requested it).

Reply
Solved! Jump to solution

LukeMurphey
Champion
‎11-25-2014 10:59 AM

I submitted a request to get the docs updated. They are now updated to indicate where to put the app: http://docs.splunk.com/Documentation/CIM/4.1.0/User/Install

Reply
Solved! Jump to solution

acharlieh
Influencer
‎11-23-2014 05:26 PM

I'll admit I'm not entirely sure this is correct, because I'm not using the CIM just yet. Anyways, if you follow the documentation link from the CIM download page you'll find a document on "Use the CIM to normalize data at search time". That doc says:

If you haven't already done so, get your data into Splunk Enterprise. Do not be concerned about making your data conform to the CIM in the parsing or indexing phase. You normalize your data to be CIM compliant at search time

This leads me to believe that you want to install the CIM on search heads not indexers or forwarders.

Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Take Action Automatically on Splunk Alerts with Red Hat Ansible Automation Platform

 Are you ready to revolutionize your IT operations? As digital transformation accelerates, the demand for ...

Calling All Security Pros: Ready to Race Through Boston?

Hey Splunkers, .conf25 is heading to Boston and we’re kicking things off with something bold, competitive, and ...

Beyond Detection: How Splunk and Cisco Integrated Security Platforms Transform ...

Financial services organizations face an impossible equation: maintain 99.9% uptime for mission-critical ...