Release notes for the Splunk Common Information Model Add-on
Version 6.1.0 of the Splunk Common Information Model Add-on was released on June 10, 2025 and contains only back-end improvements for cross-platform synchronization.
New features or enhancements
Version 6.1.0 of the Splunk Common Information Model Add-on includes the following new features.
| Feature story | Description |
|---|---|
| CIM-1307 | New fields added to the Authentication data model: <code>process</code>, <code>reason_id</code>. |
| CIM-1321 | Add new field <code>image</code> as (optional) to the Registry and Filesystem dataset of Endpoint data model. |
Upgrade requirements
| Splunk platform version | Upgrade activity |
|---|---|
| 8.0.x or later | If you apply custom tags to data mapped to CIM data models and you use these tags in searches and search filters, add these tags to the allowlists for those models. See Set up the Splunk Common Information Model Add-on for details about the tags allow list field. |
Compatibility
Version 5.0.x and higher of the Splunk Common Information Model Add-on requires Splunk platform version 8.0.x or higher. Some workarounds, such as the data models spec workaround for tags_allowlist and poll_buckets, are no longer available in version 7.0.x and higher. This might lead to btool check warnings at startup.
Fixed issues
This version of the Splunk Common Information Model Add-on fixes the following issues. If this section is empty, this release has no reported fixed issues.
| Date resolved | Issue number | Description |
|---|---|---|
| 2025-04-16 | CIM-1278 | Entity zones are rarely available in the default correlation searches for Splunk Enterprise Security and ESCU. |
| 2025-04-15 | CIM-1139 | The Network Traffic data model omits the optional field rule_id |
| 2025-04-01 | CIM-1163 | Remove the incorrect expected value for the CIM field change_type in the Change Data model's .json |
| 2025-04-01 | CIM-1137 | The Web CIM datamodel isn't populating the url_domain field for sourcetypes such as Palo Alto Cortex logs that don't include http, https, or ftp in their URL field. |
Limitations
If you are in a search head cluster environment on Splunk Cloud Platform, you might see error messages related to adaptive response actions. To troubleshoot these issues, see Troubleshoot adaptive response actions in search head cluster deployments on Splunk Cloud Platform.
Known issues
This version of the Splunk Common Information Model Add-on has the following reported known issues. If this section is empty, this release has no reported known issues.
Deprecated or removed features
The following are deprecated or removed features:
As of version 6.1.0:
- N/A
As of version 6.0.4:
- N/A
As of version 6.0.3:
- N/A
As of version 6.0.2:
- N/A
As of version 6.0.1:
- N/A
As of version 6.0.0:
- N/A
As of version 5.3.3:
- N/A
As of version 5.3.2:
- N/A
As of version 5.3.1:
- N/A
As of version 5.2.0:
- N/A
As of version 5.1.1:
- N/A
As of version 5.1.0:
- N/A
As of version 5.0.1:
- N/A
As of version 5.0.0:
- N/A
As of version 4.20.2:
- N/A
As of version 4.20.0:
- N/A
As of version 4.19.0:
- N/A
As of version 4.18.0:
- The
bodyfield is deprecated in favor of thedescriptionfield in the Alerts data model and will be removed in a future version. - The
subjectfield is deprecated in favor of thesignaturefield in the Alerts data model and will be removed in a future version.
As of version 4.15.0:
- The Predictive Analytics dashboard is removed in favor of Machine Learning Toolkit functionality.
As of version 4.14.0:
- The Predictive Analytics dashboard is deprecated in favor of Machine Learning Toolkit functionality and will be removed in a future version.
As of version 4.13.0:
- N/A
Third-party software attributions
The Splunk Common Information Model Add-on does not incorporate any third-party software or libraries.