Splunk Enterprise Security
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Splunk CIM upgrade

spectrum2035
Explorer
‎06-10-2019 04:02 AM

Currently we are having Splunk CIM 4.11.0 and we would like to upgrade it to Splunk 4.13.0 (to add new Endpoint data model).

We are having Splunk ES on SHC, so the new app need to be pushed it from the Deployer. Also, we did some extra field extraction for some of our use cases and this has been done through UI (so i can see them under the SH's local folder).

So what process i need to follow?

Can I remove the current Splunk_SA_CIM app from the deployer and replace it with a new one and then push it? Will it keep my custom configs in the SH's local folder or not? I am only worried because its a CIM App.

0 Karma
Reply

starcher
Influencer
‎06-10-2019 06:53 AM

Depends on what you mean by added field extractions. Do you mean you edited an existing data model? If so. You are now in the business of hand merging the data model JSON definition files for any edited data model. Unlike conf files Splunk cannot merge data model definitions. You will need to put the new app down on your deployer, make a local folder. copy the JSON of the edited data model from default to local then edit in your data model edits again to that file. THEN you can push it.

0 Karma
Reply

spectrum2035
Explorer
‎06-10-2019 02:15 PM

Thanks Starcher for your answer. I was under the impression that as the json files are in the local directory of the SH it should work similar to the lookups in local as well as default. We dont have a proper test environment, so i will take a backup and deploy it. I will provide you with a feedback.

0 Karma
Reply
Get Updates on the Splunk Community!

Buttercup Games Tutorial Extension - part 9

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...

Buttercup Games Tutorial Extension - part 8

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...

Introducing the Splunk Developer Program!

Hey Splunk community! We are excited to announce that Splunk is launching the Splunk Developer Program in ...
Top