Splunk Enterprise Security
Highlighted

Splunk CIM upgrade

Explorer

Currently we are having Splunk CIM 4.11.0 and we would like to upgrade it to Splunk 4.13.0 (to add new Endpoint data model).

We are having Splunk ES on SHC, so the new app need to be pushed it from the Deployer. Also, we did some extra field extraction for some of our use cases and this has been done through UI (so i can see them under the SH's local folder).

So what process i need to follow?

Can I remove the current SplunkSACIM app from the deployer and replace it with a new one and then push it? Will it keep my custom configs in the SH's local folder or not? I am only worried because its a CIM App.

0 Karma
Highlighted

Re: Splunk CIM upgrade

SplunkTrust
SplunkTrust

Depends on what you mean by added field extractions. Do you mean you edited an existing data model? If so. You are now in the business of hand merging the data model JSON definition files for any edited data model. Unlike conf files Splunk cannot merge data model definitions. You will need to put the new app down on your deployer, make a local folder. copy the JSON of the edited data model from default to local then edit in your data model edits again to that file. THEN you can push it.

0 Karma
Highlighted

Re: Splunk CIM upgrade

Explorer

Thanks Starcher for your answer. I was under the impression that as the json files are in the local directory of the SH it should work similar to the lookups in local as well as default. We dont have a proper test environment, so i will take a backup and deploy it. I will provide you with a feedback.

0 Karma