Getting Data In

Data model tags whitelist- Should I add tags used inside constraints on my own?


Hi all,

I installed the Splunk CIM on my Splunk instance and I've a doubt regarding tags whitelisting.

The docs says that (😞


This means that the tags whitelist configuration in Splunk CIM settings must have at least tags used within the constraints used in the specific datamodel.

Let's do an example with Authentication datamodel.

This is the default tags whitelist configuration after installing the app:


And this is the root dataset constraint:


How you can see, the tag authentication used as root constraint isn't by default one of whitelisted tags for Authentication datamodel.

Shall I add tags used inside constraints on my own? Or is there something I'm missing?

Thanks a lot

Labels (1)
0 Karma




Just here to add some information about your issue.

I don't think this is a error in the documentation but it's just tricky 😊

Indeed it is mentioned : "The list must include all of the tags in the constraint searches for the data model and any additional tags that you commonly use in searches that reference the data model."

The important words here are : "in the constraint searches for the data model", I don't know if you noticed but a datamodel have two properties : Events and Searches.


In your example you show the data model "event" and not the searches. If I take another datamodel like "Malware" we can see that here we have a searches which uses tags (malware and operation) !

I think the documentation wants to say that if you want to use SEARCHES of a datamodel then you need to add the tags in the whitelist. (hope this is understandable)

Here is a screenshot that illustrate this example.


In this example, if you don't had the "operation" tag in the whitelist_tag then the search will not work.

Hope this is helpful, have a nice day


0 Karma


I did a test, trying to figured out what's going on.

This is the situation with default tags whitelist:


Then I added the tag authentication as whitelist tag and performed the same search in the same discrete timeframe:


It seems that when i put a specific tag inside the whitelist box, then I can search and filter on it in the search (if exists obviously). The events did'nt change, the count is the same.

@richgallowayare you sure about docs' mistake?

(Sorry for italian screenshots)


0 Karma


Perhaps more imprecise than wrong.  Saying the datamodel MUST contain all of the tags specified in the constraint implies the DM will not function without it.  Your test shows the DM does function, at least partially.

If this reply helps you, Karma would be appreciated.
0 Karma


I've used the Authentication datamodel without modification many times so I suspect the documentation is incorrect.  Please submit feedback on it.

If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

Using Machine Learning for Hunting Security Threats

WATCH NOW Seeing the exponential hike in global cyber threat spectrum, organizations are now striving more for ...

Observability Newsletter Highlights | March 2023

 March 2023 | Check out the latest and greatestSplunk APM's New Tag Filter ExperienceSplunk APM has updated ...

Security Newsletter Updates | March 2023

 March 2023 | Check out the latest and greatestUnify Your Security Operations with Splunk Mission Control The ...