Getting Data In

Why are CIM Data tables not populating from main index?

splunk4tg
New Member

Good morning to all,

I have a newbie question. I know I’m missing something simple, wondering if someone could point me in the right direction. I currently use Syslog as an input stream and create the main index.  My Cisco applications appear to be working just fine, but I cannot get data into the same tables for the CIM-type applications to see data.

Labels (4)
Tags (2)
0 Karma

PickleRick
SplunkTrust
SplunkTrust

Just that we understand each other - CIM datamodel on its own is just an abstract definition which defines common data structure. It's not as such any "table". Yes, you can enable summary acceleration for some datamodels but that's just a performance feature.

Whereas a CIM model defines some common set of fields it's up to you to define proper field aliases and calculated fields in the events you want mapped to CIM so they conform to the CIM model. Usually it's the proper TA that does it.

And lastly, if I remember correctly, CIM datasets have some restrictions in form of macros (`cim_indexes` or simething like that) so you can finetune which data is covered by the mapping so that you don't "map" some data that is not CIM-compliant but for example has same-named fields.

Long story short - check your dataset definitions and verify if any events match them.

0 Karma

VatsalJagani
SplunkTrust
SplunkTrust

* Make sure to install necessary Add-on related to your Cisco product from Splunkbase - https://splunkbase.splunk.com/ 

* Make sure to assign the right sourcetype as described by the Add-on documentation at the input level.

* Make sure to install the CIM data model if those tables are populated through the datamodel.

* If still things don't work please post your table's search/SPL query along with one of the event in verbose mode (make sure to hide the information which could violate your company policy.)

0 Karma
Get Updates on the Splunk Community!

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

Get Inspired! We’ve Got Validation that Your Hard Work is Paying Off

We love our Splunk Community and want you to feel inspired by all your hard work! Eric Fusilero, our VP of ...