Release notes for the Splunk Common Information Model Add-on
Version 6.0.4 of the Splunk Common Information Model Add-on was released on April 30, 2025 and contains only backend improvements for cross-platform synchronization.
Version 6.0.3 of the Splunk Common Information Model Add-on was released on March 24, 2025 and contains only backend improvements for cross-platform synchronization.
Version 6.0.2 of the Splunk Common Information Model Add-on was released on January 16, 2025 and contains only backend improvements for cross-platform synchronization.
Version 6.0.1 of the Splunk Common Information Model Add-on was released on December 5, 2024 and contains only backend improvements for cross-platform synchronization.
Version 6.0.0 of the Splunk Common Information Model Add-on was released on November 1, 2024 and contains only backend improvements for cross-platform synchronization.
New features or enhancements
Version 6.0.4 of the Splunk Common Information Model Add-on includes no new features.
Version 6.0.3 of the Splunk Common Information Model Add-on includes no new features.
Version 6.0.2 of the Splunk Common Information Model Add-on includes no new features.
Version 6.0.1 of the Splunk Common Information Model Add-on includes no new features.
Version 6.0.0 of the Splunk Common Information Model Add-on includes no new features.
Upgrade requirements
| Splunk platform version | Upgrade activity |
|---|---|
| 8.0.x or later | If you apply custom tags to data mapped to CIM data models and you use these tags in searches and search filters, add these tags to the allowlists for those models. See Set up the Splunk Common Information Model Add-on for details about the tags allow list field. |
Compatibility
Version 5.0.x and higher of the Splunk Common Information Model Add-on requires Splunk platform version 8.0.x or later. Some workarounds, such as the datamodels spec workaround for tags_allowlist and poll_buckets, are no longer available in version 7.0.x and later. This might lead to btool check warnings at startup.
Fixed issues
Version 6.0.4
| Date resolved | Issue number | Description |
|---|---|---|
| 2025-03-18 | CIM-1338 | Adaptive response relay is unable connect to the cloud search head. |
| Date resolved | Issue number | Description |
|---|---|---|
| 2025-02-19 | CIM-1212, CIM-1193 | Update data model: Add prescribed value <code>failure</code> to the cim field <code>status</code>. |
| 2025-02-19 | CIM-1240 | Network Resolution Data model: Correct the list of prescribed values for the <code>record_type</code> field. |
| Date resolved | Issue number | Description |
|---|---|---|
| 2024-12-19 | CIM-1300 | CIM configuration issue: After upgrading to CIM 6.0.0, link to edit index filtering macros is broken. |
| Date resolved | Issue number | Description |
|---|---|---|
| 2024-11-12 | CIM-1272 | DLP Data Model: Incidents category field is evaluated incorrectly |
| Date resolved | Issue number | Description |
|---|---|---|
| 2025-01-13 | CIM-1316, CIM-1264 | CIM 5.3.3 - Vulnerability fix: Session Key stored cam_queue lookup in clear text. |
| 2024-10-31 | CIM-1264, CIM-1258, CIM-1316 | Vulnerability fix: Session Key stored cam_queue lookup in clear text. |
| 2024-09-03 | CIM-1269 | Biased language fixed within CIM Setup UI Labels. |
| 2024-09-03 | CIM-1275 | CIM Setup - Improve UI message for DMA index filtering. |
| 2024-08-20 | CIM-1253 | "action" field is updated unexpectedly in audit events when search string contains specified strings. |
| 2024-07-11 | CIM-1225 | The Authentication DM needs a Session ID to enable ES use cases. |
| 2024-07-08 | CIM-1224 | CIM field "protocol_version" should have description saying that it should be in lower case. |
| 2024-07-08 | CIM-1156 | Description of the cim field "power" needs correction in the Performance.json. |
| 2024-07-03 | CIM-1177 | Correct the description of the signature cim field in the Intrusion Detection DM .json. |
| 2024-06-10 | CIM-1069 | Network sessions actions field prescribed values don't cleanly match the traffic. |
| 2024-05-14 | CIM-1100 | "Launch Home" hyperlink from Splunk SA_CIM incorrectly opens other random apps. |
Limitations
If you are in a search head cluster environment on Splunk Cloud Platform, you might see error messages related to adaptive response actions. To troubleshoot these issues, see Troubleshoot adaptive response actions in search head cluster deployments on Splunk Cloud Platform.
Known issues
Version 6.0.4
| Date filed | Issue number | Description |
|---|---|---|
| 2024-11-05 | CIM-1295 | CIM configuration issue: Unable to render CIM Setup (setup.xml) on Cloud search head cluster deploymentsWorkaround:Users can manually navigate to the CIM set up page using the following link: {{http://<splunk-host>/en-US/app/Splunk_SA_CIM/cim_setup}} |
This version of the Splunk Common Information Model Add-on has the following reported known issues. If this section is empty, this release has no reported known issues.
| Date filed | Issue number | Description |
|---|---|---|
| 2024-11-05 | CIM-1295 | CIM configuration issue: Unable to render CIM Setup (setup.xml) on Cloud search head cluster deploymentsWorkaround:Users can manually navigate to the CIM set up page using the following link: {{http://<splunk-host>/en-US/app/Splunk_SA_CIM/cim_setup}} |
| Date filed | Issue number | Description |
|---|---|---|
| 2024-11-15 | CIM-1300 | CIM configuration issue: After upgrading to CIM 6.0.0, link to edit index filtering macros is broken.Workaround:The CIM app must be configured using the CIM Setup page using the following instructions prior to accessing other app related pages:
|
| 2024-11-05 | CIM-1295 | CIM configuration issue: Unable to render CIM Setup (setup.xml) on Cloud search head cluster deploymentsWorkaround:Users can manually navigate to the CIM set up page using the following link: {{http://<splunk-host>/en-US/app/Splunk_SA_CIM/cim_setup}} |
| Date filed | Issue number | Description |
|---|---|---|
| 2024-11-15 | CIM-1300 | CIM configuration issue: After upgrading to CIM 6.0.0, link to edit index filtering macros is broken.Workaround:The CIM app must be configured using the CIM Setup page using the following instructions prior to accessing other app related pages:
|
| 2024-11-05 | CIM-1295 | CIM configuration issue: Unable to render CIM Setup (setup.xml) on Cloud search head cluster deploymentsWorkaround:Users can manually navigate to the CIM set up page using the following link: {{http://<splunk-host>/en-US/app/Splunk_SA_CIM/cim_setup}} |
| 2024-08-29 | CIM-1272 | DLP Data Model - Incidents category field evaluates incorrectly |
| 2024-02-15 | CIM-1212, CIM-1193 | "Update" datamodel: add prescribed value "failure" to the cim field "status" |
| 2023-04-03 | CIM-1278 | Entity Zones are rarely available in ESS and ESCU's default correlation search. Workaround: Clone the correlation search that has a tstats or stats command, provided by the ESCU or ESS you wish to enable and edit the search so that the zone information (e.g., cim_entity_zone field) remains in the search results. |
| 2022-11-28 | CIM-1128, SOLNESS-33830 | The parent_process_name field is not extracted correctly when events with data model are searched. |
Deprecated or removed features
- N/A
- N/A
As of version 6.0.2:
- N/A
As of version 6.0.1:
- N/A
As of version 6.0.0:
- N/A
As of version 5.3.3:
- N/A
As of version 5.3.2:
- N/A
As of version 5.3.1:
- N/A
As of version 5.2.0:
- N/A
As of version 5.1.1:
- N/A
As of version 5.1.0:
- N/A
As of version 5.0.1:
- N/A
As of version 5.0.0:
- N/A
As of version 4.20.2:
- N/A
As of version 4.20.0:
- N/A
As of version 4.19.0:
- N/A
As of version 4.18.0:
- The
bodyfield is deprecated in favor of thedescriptionfield in the Alerts data model and will be removed in a future version. - The
subjectfield is deprecated in favor of thesignaturefield in the Alerts data model and will be removed in a future version.
As of version 4.15.0:
- The Predictive Analytics dashboard is removed in favor of Machine Learning Toolkit functionality.
As of version 4.14.0:
- The Predictive Analytics dashboard is deprecated in favor of Machine Learning Toolkit functionality and will be removed in a future version.
As of version 4.13.0:
- N/A
Third-party software attributions
The Splunk Common Information Model Add-on does not incorporate any third-party software or libraries.