Good morning to all,
I have a newbie question. I know I’m missing something simple, wondering if someone could point me in the right direction. I currently use Syslog as an input stream and create the main index. My Cisco applications appear to be working just fine, but I cannot get data into the same tables for the CIM-type applications to see data.
Just that we understand each other - CIM datamodel on its own is just an abstract definition which defines common data structure. It's not as such any "table". Yes, you can enable summary acceleration for some datamodels but that's just a performance feature.
Whereas a CIM model defines some common set of fields it's up to you to define proper field aliases and calculated fields in the events you want mapped to CIM so they conform to the CIM model. Usually it's the proper TA that does it.
And lastly, if I remember correctly, CIM datasets have some restrictions in form of macros (`cim_indexes` or simething like that) so you can finetune which data is covered by the mapping so that you don't "map" some data that is not CIM-compliant but for example has same-named fields.
Long story short - check your dataset definitions and verify if any events match them.
* Make sure to install necessary Add-on related to your Cisco product from Splunkbase - https://splunkbase.splunk.com/
* Make sure to assign the right sourcetype as described by the Add-on documentation at the input level.
* Make sure to install the CIM data model if those tables are populated through the datamodel.
* If still things don't work please post your table's search/SPL query along with one of the event in verbose mode (make sure to hide the information which could violate your company policy.)