Getting Data In

Why are CIM Data tables not populating from main index?

splunk4tg
New Member

Good morning to all,

I have a newbie question. I know I’m missing something simple, wondering if someone could point me in the right direction. I currently use Syslog as an input stream and create the main index.  My Cisco applications appear to be working just fine, but I cannot get data into the same tables for the CIM-type applications to see data.

Labels (4)
Tags (2)
0 Karma

PickleRick
SplunkTrust
SplunkTrust

Just that we understand each other - CIM datamodel on its own is just an abstract definition which defines common data structure. It's not as such any "table". Yes, you can enable summary acceleration for some datamodels but that's just a performance feature.

Whereas a CIM model defines some common set of fields it's up to you to define proper field aliases and calculated fields in the events you want mapped to CIM so they conform to the CIM model. Usually it's the proper TA that does it.

And lastly, if I remember correctly, CIM datasets have some restrictions in form of macros (`cim_indexes` or simething like that) so you can finetune which data is covered by the mapping so that you don't "map" some data that is not CIM-compliant but for example has same-named fields.

Long story short - check your dataset definitions and verify if any events match them.

0 Karma

VatsalJagani
SplunkTrust
SplunkTrust

* Make sure to install necessary Add-on related to your Cisco product from Splunkbase - https://splunkbase.splunk.com/ 

* Make sure to assign the right sourcetype as described by the Add-on documentation at the input level.

* Make sure to install the CIM data model if those tables are populated through the datamodel.

* If still things don't work please post your table's search/SPL query along with one of the event in verbose mode (make sure to hide the information which could violate your company policy.)

0 Karma
Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...