Hi,
We have 3 search heads in a SHC, I am planning to deploy "Splunk_SA_CIM" in my SHC from Deployer.
Question 1- Once the "Splunk_SA_CIM" is deployed in SHC members, and then for example i edit the "cim_Network_Traffic_indexes" macro from Search Head GUI (Search heads are behind LB) and add the firewall index in it and then accelerate the "Network Traffic" DM from GUI, Will this accelerate this DM in all 3 Search Head members and Macro too will be updated in all 3 SH members ?
Question 2 - or should i make above changes in "Splunk_SA_CIM" app under "local" folder in macros.conf and datamodels.conf in deployer and push to SHC ?
Question 3 - What is the correct way to manage/update datamodels config in "Splunk_SA_CIM" app like adding indexes/enabling acceleration/adding removing fields in a Search head cluster which will have Enterprise Security app installed as well in near future?
Hi @ankycampy,
yes exactly!
this is the same approach that you have using e.g. Enterprise Security.
Infact CIM is a part of it
Tell me if I can help you more, otherwise, please, accept an answer for the other people of Community.
Ciao.
Giuseppe
P.S.: Karma Points are appreciated by all the Contributors 😉
Hi @ankycampy,
did you followed all the instruction at https://docs.splunk.com/Documentation/CIM/5.0.0/User/Install ?
Which kind of architetcure have you? ok Search head Cluster, but you have Clustered or Not Clustered indexers?
Are Your Search Heads configured to send logs to your Indexers?
Ciao.
Giuseppe
Hi,
Thanks for response, Yes, we have 3 search members in SHC and 3 indexers in Indexer Cluster.
Search Heads are forwarding their logs to indexers.
Yes, have gone through this https://docs.splunk.com/Documentation/CIM/5.0.0/User/Install but unable to find how to setup CIM in SHC environment.
I can push CIM app using deployer to SHC, how to configure it (via GUI of SH(SH are behind LB) or configure CIM app in deployer and push to SHC) ?
After you push the app to SHC, any subsequent modification should be done via GUI. It's not as much a matter of consistency across the search-heads, because that you can achieve in other ways as well, but when you edit the datamodel via GUI, there are additional validating mechanisms which keep you from misconfiguring your datamodels too much. I don't remember exactly where but it's explicitly stated in the docs.
There is however one situation in which you should manually deploy the datamodel configuration - it's when you have more than one search-head or search-head cluster accesing the same indexer(s) independently and you want to share accelerated summaries. But it's a way more advanced topic that you need at the moment I think.
Hi @ankycampy ,
you have to install the App on the SHC using Deployer (you can find all the instructions to do this on the above page).
Then each setup you'll do via GUI (https://docs.splunk.com/Documentation/CIM/5.0.0/User/Setup) on one SH will be replicated on the others by the SHC.
Ciao.
Giuseppe
Thanks, So CIM app will be deployed normally using deployer and rest config i will do via GUI and it will be replicated to SHC members.
That means SHC members will have more updated config done via GUI in CIM app then we had in CIM app in deployer originally. SHC members will have the GUI updated config in local folder of the app which won't be affected when in future we may upgrade the CIM app from deployer to SHC.
Hope this understanding is correct ?
Hi @ankycampy,
yes exactly!
this is the same approach that you have using e.g. Enterprise Security.
Infact CIM is a part of it
Tell me if I can help you more, otherwise, please, accept an answer for the other people of Community.
Ciao.
Giuseppe
P.S.: Karma Points are appreciated by all the Contributors 😉
Can anyone help with the above query ?