Splunk Enterprise Security

Splunk CIM upgrade


Currently we are having Splunk CIM 4.11.0 and we would like to upgrade it to Splunk 4.13.0 (to add new Endpoint data model).

We are having Splunk ES on SHC, so the new app need to be pushed it from the Deployer. Also, we did some extra field extraction for some of our use cases and this has been done through UI (so i can see them under the SH's local folder).

So what process i need to follow?

Can I remove the current Splunk_SA_CIM app from the deployer and replace it with a new one and then push it? Will it keep my custom configs in the SH's local folder or not? I am only worried because its a CIM App.

0 Karma


Depends on what you mean by added field extractions. Do you mean you edited an existing data model? If so. You are now in the business of hand merging the data model JSON definition files for any edited data model. Unlike conf files Splunk cannot merge data model definitions. You will need to put the new app down on your deployer, make a local folder. copy the JSON of the edited data model from default to local then edit in your data model edits again to that file. THEN you can push it.

0 Karma


Thanks Starcher for your answer. I was under the impression that as the json files are in the local directory of the SH it should work similar to the lookups in local as well as default. We dont have a proper test environment, so i will take a backup and deploy it. I will provide you with a feedback.

0 Karma
Get Updates on the Splunk Community!

Database Performance Sidebar Panel Now on APM Database Query Performance & Service ...

We’ve streamlined the troubleshooting experience for database-related service issues by adding a database ...

IM Landing Page Filter - Now Available

We’ve added the capability for you to filter across the summary details on the main Infrastructure Monitoring ...

Dynamic Links from Alerts to IM Navigators - New in Observability Cloud

Splunk continues to improve the troubleshooting experience in Observability Cloud with this latest enhancement ...