All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Where can I find a list of the knowledge objects included with the Splunk CIM Add-On?

CyberAar
Explorer
Tuesday

I know that CIM Add-on has some knowledge objects that are obvious which includes fields, event type, tags and field aliases. What are other knowledge objects included in the CIM Add-On? 

I was not able to find a clear answer to this question in the Splunk docs. 

Labels (1)
Labels
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
yesterday

Examination of the add-on itself ($SPLUNK_HOME/etc/apps/Splunk_SA_CIM/default) shows what KOs it creates.

There are the datamodels, of course, and the macros used within them.

There also are calculated fields, indexed fields, aliases, and reports for the audittrail, splunkd, and splunk_web_services sourcetypes.

The stash_common_action_model sourcetype.

Also defined are a KVStore collection, an external command, eventtypes, an index, inputs, REST endpoints, saved searches, tags, transforms, and dashboards.

Some of these probably should be documented.  Submit feedback on the Docs page to request it.

IMO, every TA should be examined before it is installed to see what it brings to the environment.  This helps to prevent undesired side-effects and makes the admin aware of any local changes that may be needed (like to indexes.conf).

---
If this reply helps you, Karma would be appreciated.
Reply

PickleRick
SplunkTrust
SplunkTrust
Saturday

Wait, wait, wait.

I can see a confusion here.

The main question is why are you asking this question. And the main issue is that people often misunderstood how CIM data models work.

CIM datamodels generally do not do anything. They provide data model definitions and expect the data to have specific fields or tags defined.  The only tweakable thing that is getting defined within the CIM add-on (not within the data models themselves; again - they only hse those) that I can think of are the configuration aliases used for specifying indexes from which data models are mapped.

And that's all. The specific data models require the data to be properly tagged but they do not tag the data themselves. They require the party onboarding the data into Splunk (or the creator of a TA used for such onboarding) to prepare the data properly.

CIM data models use tags to select data but those are typically (especially if using Add-on Builder) assigned to eventtypes. But there is no strict technical requirement for it AFAIR.

Reply

CyberAar
Explorer
Saturday

Not judging anybody's knowledge here at all but you can see the problem right...both @PrewinThomas  and @Meett have different opinions on this and there is nothing I can see on this in the documentation. I am a total beginner so which one is the correct response?

🙂

0 Karma
Reply

PrewinThomas
Builder
yesterday

@CyberAar 

Both answers are valid! There isn't a single official definition for your question. @Meett  gave you the general/common knowledge objects found in the CIM add-on (https://splunkbase.splunk.com/app/1621), but I also pointed out other knowledge objects that are included with it(some are least used).

The best way to see everything is to go through your knowledge objects in Splunk one by one, set the App filter to the Splunk CIM, and set the configuration source to “Created in the app.” That way, you’ll get the full list of what’s built into CIM, and can explore them yourself.


Regards,
Prewin
If this answer helped you, please consider marking it as the solution or giving a Karma. Thanks!

0 Karma
Reply

PrewinThomas
Builder
Tuesday

@CyberAar 
Besides fields, event type, tags and field aliases, Splunk CIM Add-on also includes the following knowledge objects,

Data Models, Field Extractions, Lookups, Commands, Macros, Workflow Actions, views, Reports.


Regards,
Prewin
If this answer helped you, please consider marking it as the solution or giving a Karma. Thanks!

0 Karma
Reply

Meett
Splunk Employee
Splunk Employee
Tuesday

Hello @CyberAar So the main KOs aligned with CIM Add-on are event type, tags , field aliases , Lookups , Data Models.

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Register for .conf25!
Get Updates on the Splunk Community!

Introduction to Splunk AI

How are you using AI in Splunk? Whether you see AI as a threat or opportunity, AI is here to stay. Lucky for ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...

Maximizing the Value of Splunk ES 8.x

Splunk Enterprise Security (ES) continues to be a leader in the Gartner Magic Quadrant, reflecting its pivotal ...