Splunk Enterprise Security

How to modify data model in CIM without doing so directly in CIM?

lukasmecir
Path Finder

Hello,

I have a question about modification of data model in CIM:

I would like to add one child dataset to DM "Change". Can I do it by separate application?

What I mean exactly: If I create a modified Change.json file with a new dataset, place it to separate app (eg. my_change_dm) and place this app to $splunk_home/etc/apps directory - will my modified JSON file merge with Change.json in Splunk_SA_CIM app?
Or is there another way to modify DM in CIM without modifying it directly in the Splunk_SA_CIM app?

I know that I can modify DM directly in Splunk_SA_CIM, but for some reason I need to make some research.
Thank you very much for any info.

Regards,
Lukas Mecir

Labels (1)
0 Karma
1 Solution

woodcock
Esteemed Legend

You don't need your own app, but definitely do not edit the existing datamodel. Just clone it and call it something like Change_Clone and then do whatever you would like. Keep them totally separate and only use the clone.

View solution in original post

0 Karma

woodcock
Esteemed Legend

You don't need your own app, but definitely do not edit the existing datamodel. Just clone it and call it something like Change_Clone and then do whatever you would like. Keep them totally separate and only use the clone.

0 Karma

lukasmecir
Path Finder

Hi Gregg, thank you for your answer. Just for clarification - the cloned data model "Change_Clone" will not be used by out-of-the-box reports and dashboards etc. in Splunk ES, because they are not aware of it (they are aware of out-of-the-box DM "Change" only), am I right? This is not problem for me now, I just would like clarify this.

0 Karma

woodcock
Esteemed Legend

Yes, you are correct but the majority of use-cases in Splunk require adjusting and tuning to work right for each client so you are most-likely going to modify just about everything that you use in ES anyway so changing from one datamodel to another is not a big deal.

0 Karma

lukasmecir
Path Finder

And another question - when you say "do not edit the existing datamodel", what do you exactly mean? Do you mean that I should not change Change.json file in Splunk_SA_CIM/default dir, or I should not change it at all (even if I change it by putting modified Change.json to Splunk_SA_CIM/local dir)?

0 Karma

woodcock
Esteemed Legend

Correct. Do not change the JSON files. Changing datamodels.conf is fine.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Try it. It should work, except I believe you'll need to define the entire data model in your custom JSON file since I doubt Splunk will merge them. Be sure to name your app so it comes before Splunk_SA_CIM. Also, be aware that your changes will trump any future updates to that DM by the CIM app.

---
If this reply helps you, Karma would be appreciated.
0 Karma

lukasmecir
Path Finder

Thank you for your answer. I tried and you are right - entire DM must be defined in custom app and Splunk do not merge content of JSON files.

0 Karma
Get Updates on the Splunk Community!

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

Industry Solutions for Supply Chain and OT, Amazon Use Cases, Plus More New Articles ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Enterprise Security Content Update (ESCU) | New Releases

In November, the Splunk Threat Research Team had one release of new security content via the Enterprise ...