All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Should the Splunk Common Information Model Add-on go onto indexers only, or should it be installed on forwarders and search heads too?

pj_0b
Engager
‎11-23-2014 03:55 PM
 
Reply
1 Solution
Solved! Jump to solution
Solution

LukeMurphey
Champion
‎11-24-2014 12:15 PM

Install it on your search heads.

It is important that you don't install it on indexers because you can cause the indexers to do double work accelerating the data if you enable data-model acceleration.

If you have it on the search head only, the search head will request acceleration to the indexers and the indexers will begin accelerating the data on behalf of the search-head. If you have the CIM app on the indexers too, then the indexers will accelerate the data for the search head and they will attempt to accelerate if for themselves (they won't recognize the accelerated data already exists since the search head requested it).

View solution in original post

Reply
Solved! Jump to solution

LukeMurphey
Champion
‎11-24-2014 02:14 PM

I'm going to follow-up and make sure that the docs cover this more clearly. Looking at the docs now, this isn't clear at all. Good question.

0 Karma
Reply
Solved! Jump to solution
Solution

LukeMurphey
Champion
‎11-24-2014 12:15 PM

Install it on your search heads.

It is important that you don't install it on indexers because you can cause the indexers to do double work accelerating the data if you enable data-model acceleration.

If you have it on the search head only, the search head will request acceleration to the indexers and the indexers will begin accelerating the data on behalf of the search-head. If you have the CIM app on the indexers too, then the indexers will accelerate the data for the search head and they will attempt to accelerate if for themselves (they won't recognize the accelerated data already exists since the search head requested it).

Reply
Solved! Jump to solution

LukeMurphey
Champion
‎11-25-2014 10:59 AM

I submitted a request to get the docs updated. They are now updated to indicate where to put the app: http://docs.splunk.com/Documentation/CIM/4.1.0/User/Install

Reply
Solved! Jump to solution

acharlieh
Influencer
‎11-23-2014 05:26 PM

I'll admit I'm not entirely sure this is correct, because I'm not using the CIM just yet. Anyways, if you follow the documentation link from the CIM download page you'll find a document on "Use the CIM to normalize data at search time". That doc says:

If you haven't already done so, get your data into Splunk Enterprise. Do not be concerned about making your data conform to the CIM in the parsing or indexing phase. You normalize your data to be CIM compliant at search time

This leads me to believe that you want to install the CIM on search heads not indexers or forwarders.

Reply
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...