Getting Data In

Why are CIM Data tables not populating from main index?

splunk4tg
New Member

Good morning to all,

I have a newbie question. I know I’m missing something simple, wondering if someone could point me in the right direction. I currently use Syslog as an input stream and create the main index.  My Cisco applications appear to be working just fine, but I cannot get data into the same tables for the CIM-type applications to see data.

Labels (4)
Tags (2)
0 Karma

PickleRick
SplunkTrust
SplunkTrust

Just that we understand each other - CIM datamodel on its own is just an abstract definition which defines common data structure. It's not as such any "table". Yes, you can enable summary acceleration for some datamodels but that's just a performance feature.

Whereas a CIM model defines some common set of fields it's up to you to define proper field aliases and calculated fields in the events you want mapped to CIM so they conform to the CIM model. Usually it's the proper TA that does it.

And lastly, if I remember correctly, CIM datasets have some restrictions in form of macros (`cim_indexes` or simething like that) so you can finetune which data is covered by the mapping so that you don't "map" some data that is not CIM-compliant but for example has same-named fields.

Long story short - check your dataset definitions and verify if any events match them.

0 Karma

VatsalJagani
SplunkTrust
SplunkTrust

* Make sure to install necessary Add-on related to your Cisco product from Splunkbase - https://splunkbase.splunk.com/ 

* Make sure to assign the right sourcetype as described by the Add-on documentation at the input level.

* Make sure to install the CIM data model if those tables are populated through the datamodel.

* If still things don't work please post your table's search/SPL query along with one of the event in verbose mode (make sure to hide the information which could violate your company policy.)

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In November, the Splunk Threat Research Team had one release of new security content via the Enterprise ...

Index This | Divide 100 by half. What do you get?

November 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Stay Connected: Your Guide to December Tech Talks, Office Hours, and Webinars!

❄️ Celebrate the season with our December lineup of Community Office Hours, Tech Talks, and Webinars! ...