CIM Toolkit for Splunk Supporting Common Information Model Add-on

This app contains a search that checks each CIM 'datamodel' that is both 'enabled' and 'accelerated', runs its 'constraint'/'base-search' against all data to see what 'index'/'sourcetype' pairs have appropriately-tagged events, and compares that against the current 'macro' definition. If they differ, the suggested change is shown in the "definition_data" field. There could be a difference because some data is no longer present and the macro could/should "shrink" or because there is new data and the macro could/should "expand" or perhaps you no longer have any data coming into Splunk that is tagged for your datamodel. In the latter case, you need to investigate and if the data is still there, get it tagged correctly and if not, get it put back in, or if not, unaccelerate the datamodel. Use the "URL" field (cut & paste to browser) to jump directly to edit any datamodel's index macro. This app also contains a set of macros to greatly increase the flexibility and accuracy of SIEM drilldowns (there is an example correlation search that demonstrates this). This app and the slide deck referenced below were developed independently, but there is a great deal of common concepts and overlap so it is a perfect primer: https://foren6.files.wordpress.com/2020/12/splunk-es-correlation-searches-best-practices-v1.0-rev2.pdf