Solved: How to configure CIM datamodel index whitelisting ...

fatsug · ‎11-07-2022

Hello Community

I've been looking at the installation process of Splunk CIM and got stuck on a step.

After installation there seems to be a need to whitelist indexes for datamodels (or vice versa). I realize this can be done pretty easily through the GUI though normally the configuration is handled centrally.

Having come up empty looking through the content of the app/package, is it possible to specify index whitelists for particular datamodels in any conf file that I may have missed?

Best regards

smurf · ‎11-10-2022

Hi,

index whitelists are defined in macros for each data mode. Look at the macros that are in the CIM app.

smurf

View solution in original post

smurf · ‎11-10-2022

Hi,

index whitelists are defined in macros for each data mode. Look at the macros that are in the CIM app.

smurf

fatsug · ‎11-11-2022

Thank you very much @smurf. I was planning to start editing the GUI and tracking filechanges to pinpoint the right one though this does look like the right spot for whitelisting:

[cim_Endpoint_indexes]
definition = ()

While technically a second question (sorry) do you know the format for definition? Is it just CSV

[cim_Endpoint_indexes]
definition = (index1, index2)

smurf · ‎11-11-2022

No probs.

Definition of a macro is the search itself. So it could look something like this:

[cim_Endpoint_indexes]
definition = (index=index1 OR index=index2)

You can find more details in the macros.conf spec macros.conf - Splunk Documentation

smurf

fatsug · ‎11-11-2022

Fantastic!

I managed to find some defined macros and figured as much. Though no I know for sure and can push new config

Have a really nice weeked and best refards

How to configure CIM datamodel index whitelisting through configuration file(s)?

configuration

Stay Connected: Your Guide to December Tech Talks, Office Hours, and Webinars!

Splunk and Fraud

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...