All Apps and Add-ons

Why Splunk Common Information Model does not show data in pivot and tags aren't applied, but 'Search & Reporting' does?

prabhasgupte
Communicator

I am developing a CIM compliant app.

I have all the required configs in place - eventtypes.conf defines event correctly; tags.conf have appropriate tags enabled, that are required by data model; props.conf have needed field aliases and lookups; transforms.conf points to correct lookup csv files.

When I index the data, and search it in 'Search & Reporting' app, I can see correct eventtype, and correct tags being applied to my event. When I switch to Pivot tab and go to my data model, I can see the events matching and the pivot table gets populated.

But, when I go to 'Splunk Common Information Model' app and search, I do not see those tags being associated with my event. (although, the event is shown correctly.) I also do not see data populated in Pivot view.

However, when I manually assign those tags to the eventtype, I can see the Pivot populated.

So, I want to know:
(1) Am I missing something? something not done in config etc?
(2) If (1) is not the case, what is going wrong here?

1 Solution

jcoates_splunk
Splunk Employee
Splunk Employee

That sounds like you're doing your work in a local context... make sure your app's permissions are set to global.

View solution in original post

prabhasgupte
Communicator

Well, the only reason data wasn't showing up in CIM app was the app name. As per Splunk, the app name must start with TA or SA or DA.. only then it is recognized as CIM compliant app.

0 Karma

jcoates_splunk
Splunk Employee
Splunk Employee

That sounds like you're doing your work in a local context... make sure your app's permissions are set to global.

doksu
SplunkTrust
SplunkTrust

Does this search environment have ES installed?

0 Karma

prabhasgupte
Communicator

Nope, even after I set global permissions for my app, the problem is not solved.

0 Karma

prabhasgupte
Communicator

Your guess was correct, my app didn't have global permissions.

When I changed it to 'Global', it simply stopped showing me 'Splunk Common Information Model' app's view dropdown! Instead, it started showing me my app's views and dashboards!!

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...