Splunk Enterprise Security

Splunk CIM upgrade


Currently we are having Splunk CIM 4.11.0 and we would like to upgrade it to Splunk 4.13.0 (to add new Endpoint data model).

We are having Splunk ES on SHC, so the new app need to be pushed it from the Deployer. Also, we did some extra field extraction for some of our use cases and this has been done through UI (so i can see them under the SH's local folder).

So what process i need to follow?

Can I remove the current Splunk_SA_CIM app from the deployer and replace it with a new one and then push it? Will it keep my custom configs in the SH's local folder or not? I am only worried because its a CIM App.

0 Karma


Depends on what you mean by added field extractions. Do you mean you edited an existing data model? If so. You are now in the business of hand merging the data model JSON definition files for any edited data model. Unlike conf files Splunk cannot merge data model definitions. You will need to put the new app down on your deployer, make a local folder. copy the JSON of the edited data model from default to local then edit in your data model edits again to that file. THEN you can push it.

0 Karma


Thanks Starcher for your answer. I was under the impression that as the json files are in the local directory of the SH it should work similar to the lookups in local as well as default. We dont have a proper test environment, so i will take a backup and deploy it. I will provide you with a feedback.

0 Karma
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...