Getting Data In

Why are CIM Data tables not populating from main index?

splunk4tg
New Member

Good morning to all,

I have a newbie question. I know I’m missing something simple, wondering if someone could point me in the right direction. I currently use Syslog as an input stream and create the main index.  My Cisco applications appear to be working just fine, but I cannot get data into the same tables for the CIM-type applications to see data.

Labels (4)
Tags (2)
0 Karma

PickleRick
SplunkTrust
SplunkTrust

Just that we understand each other - CIM datamodel on its own is just an abstract definition which defines common data structure. It's not as such any "table". Yes, you can enable summary acceleration for some datamodels but that's just a performance feature.

Whereas a CIM model defines some common set of fields it's up to you to define proper field aliases and calculated fields in the events you want mapped to CIM so they conform to the CIM model. Usually it's the proper TA that does it.

And lastly, if I remember correctly, CIM datasets have some restrictions in form of macros (`cim_indexes` or simething like that) so you can finetune which data is covered by the mapping so that you don't "map" some data that is not CIM-compliant but for example has same-named fields.

Long story short - check your dataset definitions and verify if any events match them.

0 Karma

VatsalJagani
SplunkTrust
SplunkTrust

* Make sure to install necessary Add-on related to your Cisco product from Splunkbase - https://splunkbase.splunk.com/ 

* Make sure to assign the right sourcetype as described by the Add-on documentation at the input level.

* Make sure to install the CIM data model if those tables are populated through the datamodel.

* If still things don't work please post your table's search/SPL query along with one of the event in verbose mode (make sure to hide the information which could violate your company policy.)

0 Karma
Get Updates on the Splunk Community!

Monitoring MariaDB and MySQL

In a previous post, we explored monitoring PostgreSQL and general best practices around which metrics to ...

Financial Services Industry Use Cases, ITSI Best Practices, and More New Articles ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Splunk Federated Analytics for Amazon Security Lake

Thursday, November 21, 2024  |  11AM PT / 2PM ET Register Now Join our session to see the technical ...