Splunk Enterprise Security
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Splunk CIM upgrade

spectrum2035
Explorer
‎06-10-2019 04:02 AM

Currently we are having Splunk CIM 4.11.0 and we would like to upgrade it to Splunk 4.13.0 (to add new Endpoint data model).

We are having Splunk ES on SHC, so the new app need to be pushed it from the Deployer. Also, we did some extra field extraction for some of our use cases and this has been done through UI (so i can see them under the SH's local folder).

So what process i need to follow?

Can I remove the current Splunk_SA_CIM app from the deployer and replace it with a new one and then push it? Will it keep my custom configs in the SH's local folder or not? I am only worried because its a CIM App.

0 Karma
Reply

starcher
Influencer
‎06-10-2019 06:53 AM

Depends on what you mean by added field extractions. Do you mean you edited an existing data model? If so. You are now in the business of hand merging the data model JSON definition files for any edited data model. Unlike conf files Splunk cannot merge data model definitions. You will need to put the new app down on your deployer, make a local folder. copy the JSON of the edited data model from default to local then edit in your data model edits again to that file. THEN you can push it.

0 Karma
Reply

spectrum2035
Explorer
‎06-10-2019 02:15 PM

Thanks Starcher for your answer. I was under the impression that as the json files are in the local directory of the SH it should work similar to the lookups in local as well as default. We dont have a proper test environment, so i will take a backup and deploy it. I will provide you with a feedback.

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey


Introducing Unified TDIR with the New Enterprise Security 8.2

Read the blog
Get Updates on the Splunk Community!

Thanks for the Memories! Splunk University, .conf25, and our Community

Thank you to everyone in the Splunk Community who joined us for .conf25, which kicked off with our iconic ...

Data Persistence in the OpenTelemetry Collector

This blog post is part of an ongoing series on OpenTelemetry. What happens if the OpenTelemetry collector ...

Introducing Splunk 10.0: Smarter, Faster, and More Powerful Than Ever

Now On Demand Whether you're managing complex deployments or looking to future-proof your data ...