Question We are running Splunk Enterprise 9.4.7 with Splunk Enterprise Security (ES) 7.3.2 and want to upgrade the bundled Common Information Model (CIM) Add-on to version 6.4.0 (released February 4, 2026). We need confirmation on whether this is a supported combination before proceeding. What We Know from Official Docs 1. ES 7.3.2 runs on Splunk Enterprise 9.4.x — Confirmed. Source: Splunk Products Version Compatibility Matrix 2. CIM 6.4.0 requires Splunk platform 8.0.x or higher — Our 9.4.7 meets this. Source: CIM 6.4.0 Release Notes Quote: "Version 5.0.x and higher of the Splunk Common Information Model Add-on requires Splunk platform version 8.0.x or higher." 3. ES 7.3.2 bundles CIM 5.3.2 — not 6.4.0. Source: ES 7.3.2 Release Notes Quote: "The Common Information Model Add-on is updated to version 5.3.2." ES 7.3.2 was released June 11, 2024. CIM 6.4.0 was released February 4, 2026 — 20 months later. 4. CIM is independently installable on search heads. Source: CIM 6.4.0 Install Guide Quote: "Install the Splunk Common Information Model Add-on to your search heads only." The Gap No official Splunk documentation confirms that CIM 6.4.0 has been tested or is supported when running alongside ES 7.3.2. The CIM release notes only list a Splunk platform minimum (8.0.x+) but do not specify compatible ES versions. Each ES release documents which CIM version it bundles, but Splunk does not publish a reverse mapping (CIM version to supported ES versions). Component Status Documented? Splunk Enterprise 9.4.x + ES 7.3.2 Supported Yes — Version Compat Matrix Splunk Enterprise 9.4.x + CIM 6.4.0 Platform req met (8.0.x+) Yes — CIM 6.4.0 Release Notes ES 7.3.2 bundled CIM version 5.3.2 Yes — ES 7.3.2 Release Notes CIM 6.4.0 + ES 7.3.2 together Unknown No doc found Our Specific Questions Has anyone successfully upgraded the CIM Add-on from 5.3.2 to 6.4.0 within an ES 7.3.2 environment without issues? Does Splunk Support consider independently upgrading CIM beyond the version bundled with ES to be a supported configuration? Are there any known conflicts between the new CIM 6.4.0 data model fields (Data Access, Network Sessions, Network Traffic, Endpoint) and the ES 7.3.2 correlation searches or dashboards? Would upgrading to a newer ES version (e.g., 8.x) that natively bundles a more recent CIM be the recommended path instead? Environment Details Component Current Target Splunk Enterprise 9.4.7 9.4.7 (no change) Splunk Enterprise Security 7.3.2 7.3.2 (no change) CIM Add-on (Splunk_SA_CIM) 5.3.2 (bundled) 6.4.0 All references are from docs.splunk.com as of April 2026. Looking for official confirmation or community experience before proceeding in production. ... View more

Hi Splunk Community & Splunk Docs team, Splunk Enterprise 9.4.7 was released on November 26, 2025 (fixed issues page is already live): https://help.splunk.com/en/splunk-enterprise/release-notes-and-updates/release-notes/9.4/fixed-issues/fixed-issues/splunk-enterprise-9.4.7-fixed-issues However, the official Splunk Products Version Compatibility Matrix still only lists up to 9.4.6 and does not include 9.4.7: https://help.splunk.com/en/splunk-enterprise/release-notes-and-updates/compatibility-matrix/splunk-products-version-compatibility/splunk-products-version-compatibility-matrix We are in the final planning stage of a large SOC migration/upgrade and this specific gap is currently blocking sign-off because leadership requires the version to be explicitly present in the compatibility matrix (especially for Splunk Enterprise Security, CIM Add-on, and SOAR integrations). Questions: 1. Is it safe to assume that 9.4.7 inherits exactly the same compatibility as the rest of the 9.4.x line (no changes introduced in 9.4.7)? 2. When can we expect the compatibility matrix to be updated to include 9.4.7? 3. Is there any official statement or internal ticket we can reference in the meantime? Any clarification from Splunk employees, docs team, or MVPs would be greatly appreciated. Thank you! ... View more

Description: I am using a Splunk Heavy Forwarder (HF) to forward logs to an indexer cluster. I need to configure props.conf and transforms.conf on the HF to drop all logs that originate from a specific directory and any of its subdirectories, without modifying the configuration each time a new subdirectory is created. Scenario: The logs I want to discard are located under /var/log/apple/. This directory contains dynamically created subdirectories, such as: /var/log/apple/nginx/ /var/log/apple/db/intro/ /var/log/apple/some/other/depth/ New subdirectories are added frequently, and I cannot manually update the configuration every time. Attempted Solution: I configured props.conf as follows: [source::/var/log/apple(/.*)?] TRANSFORMS-null=discard_apple_logs And in transforms.conf: [discard_apple_logs] REGEX = . DEST_KEY = queue FORMAT = nullQueue However, this does not seem to work, as logs from the subdirectories are still being forwarded to the indexers. Question: What is the correct way to configure props.conf and transforms.conf to drop all logs under /var/log/apple/, including those from any newly created subdirectories? How can I ensure that this rule applies recursively without explicitly listing multiple wildcard patterns? Any guidance would be greatly appreciated! ... View more