I am developing a CIM compliant app.
I have all the required configs in place - eventtypes.conf defines event correctly; tags.conf have appropriate tags enabled, that are required by data model; props.conf have needed field aliases and lookups; transforms.conf points to correct lookup csv files.
When I index the data, and search it in 'Search & Reporting' app, I can see correct eventtype, and correct tags being applied to my event. When I switch to Pivot tab and go to my data model, I can see the events matching and the pivot table gets populated.
But, when I go to 'Splunk Common Information Model' app and search, I do not see those tags being associated with my event. (although, the event is shown correctly.) I also do not see data populated in Pivot view.
However, when I manually assign those tags to the eventtype, I can see the Pivot populated.
So, I want to know:
(1) Am I missing something? something not done in config etc?
(2) If (1) is not the case, what is going wrong here?
That sounds like you're doing your work in a local context... make sure your app's permissions are set to global.
Well, the only reason data wasn't showing up in CIM app was the app name. As per Splunk, the app name must start with TA or SA or DA.. only then it is recognized as CIM compliant app.
That sounds like you're doing your work in a local context... make sure your app's permissions are set to global.
Does this search environment have ES installed?
Nope, even after I set global permissions for my app, the problem is not solved.
Your guess was correct, my app didn't have global permissions.
When I changed it to 'Global', it simply stopped showing me 'Splunk Common Information Model' app's view dropdown! Instead, it started showing me my app's views and dashboards!!