All Apps and Add-ons

Should the Splunk Common Information Model Add-on go onto indexers only, or should it be installed on forwarders and search heads too?

pj_0b
Engager
1 Solution

LukeMurphey
Champion

Install it on your search heads.

It is important that you don't install it on indexers because you can cause the indexers to do double work accelerating the data if you enable data-model acceleration.

If you have it on the search head only, the search head will request acceleration to the indexers and the indexers will begin accelerating the data on behalf of the search-head. If you have the CIM app on the indexers too, then the indexers will accelerate the data for the search head and they will attempt to accelerate if for themselves (they won't recognize the accelerated data already exists since the search head requested it).

View solution in original post

LukeMurphey
Champion

I'm going to follow-up and make sure that the docs cover this more clearly. Looking at the docs now, this isn't clear at all. Good question.

0 Karma

LukeMurphey
Champion

Install it on your search heads.

It is important that you don't install it on indexers because you can cause the indexers to do double work accelerating the data if you enable data-model acceleration.

If you have it on the search head only, the search head will request acceleration to the indexers and the indexers will begin accelerating the data on behalf of the search-head. If you have the CIM app on the indexers too, then the indexers will accelerate the data for the search head and they will attempt to accelerate if for themselves (they won't recognize the accelerated data already exists since the search head requested it).

LukeMurphey
Champion

I submitted a request to get the docs updated. They are now updated to indicate where to put the app: http://docs.splunk.com/Documentation/CIM/4.1.0/User/Install

acharlieh
Influencer

I'll admit I'm not entirely sure this is correct, because I'm not using the CIM just yet. Anyways, if you follow the documentation link from the CIM download page you'll find a document on "Use the CIM to normalize data at search time". That doc says:

If you haven't already done so, get your data into Splunk Enterprise. Do not be concerned about making your data conform to the CIM in the parsing or indexing phase. You normalize your data to be CIM compliant at search time

This leads me to believe that you want to install the CIM on search heads not indexers or forwarders.

Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...