Relating Add-ons to CIM

Something we’ve been interested in for a while now is tools to help you see whether a model is being populated or not. For instance, the latest version of the Splunk App for Enterprise Security includes a nice Content Profile Audit dashboard that compares the knowledge objects provided in the Enterprise Security app to the data models those objects require.

Similarly, we also want to be able to look at a data model and ask which Add-ons are trying to prepare data for it. Thanks to the efforts of some intrepid folks in our Education team (Lincoln Bowser and Bob Walden), here’s a couple of reports that should be helpful. The reports query local configuration via REST so they’re cross-platform, and they leverage the fact that data model constraints are almost always expressed as tag-based searches.

 

for each installed add-on in this instance, list the data models that it should populate

for each installed add-on in this instance, list the data models that it should populate

for each data model in this instance, list the installed add-ons that are presenting data to it

for each data model in this instance, list the installed add-ons that are presenting data to it

[CIM - Add-on Tag Population By Data Model]
action.email.include.results_link = 0
action.email.include.view_link = 0
action.email.reportServerEnabled = 0
action.email.useNSSubject = 1
action.keyindicator.invert = 0
alert.track = 0
description = CIM - Add-on Tag Population By Data Model
display.general.timeRangePicker.show = 0
display.general.type = statistics
display.page.search.tab = statistics
display.visualizations.show = 0
request.ui_dispatch_app = search
request.ui_dispatch_view = search
search = |rest splunk_server=local count=0 /servicesNS/-/-/admin/datamodel-files |spath input=eai:data output=base_search path=objects{}.baseSearch |spath input=eai:data output=constraints path=objects{}.constraints{}.search |eval tag_content = mvappend(base_search,constraints) |rex max_match=0 field=tag_content "tag=\"?(?<tag_name>\w+)\"?" |mvexpand tag_name |rename title AS datamodel |append [|rest splunk_server=local count=0 /servicesNS/-/-/admin/tags |rename eai:acl.app AS app |search app="*TA*"] |stats list(datamodel) as datamodel, list(app) as app by tag_name |search datamodel=* |stats list(tag_name) as tags, values(app) as apps by datamodel |eval tags=mvdedup(tags)

[CIM - Data Model Tag Population By Add-on]
action.email.include.results_link = 0
action.email.include.view_link = 0
action.email.reportServerEnabled = 0
action.email.useNSSubject = 1
action.keyindicator.invert = 0
alert.track = 0
description = CIM - Data Model Tag Population By Add-on
display.general.timeRangePicker.show = 0
display.general.type = statistics
display.page.search.tab = statistics
display.visualizations.show = 0
request.ui_dispatch_app = search
request.ui_dispatch_view = search
search = |rest splunk_server=local count=0 /servicesNS/-/-/admin/datamodel-files |spath input=eai:data output=base_search path=objects{}.baseSearch |spath input=eai:data output=constraints path=objects{}.constraints{}.search |eval tag_content = mvappend(base_search,constraints) |rex max_match=0 field=tag_content "tag=\"?(?<tag_name>\w+)\"?" |mvexpand tag_name |rename title AS datamodel |append [|rest splunk_server=local count=0 /servicesNS/-/-/admin/tags |rename eai:acl.app AS app |search app="*TA*"] |stats list(datamodel) as datamodel, list(app) as app by tag_name |search datamodel=* |stats list(datamodel) as datamodel, values(tag_name) as tags by app |eval tags=mvdedup(tags)

Ideas and feedback would be very welcome, there’s always room for improvement!