https://answers.splunk.com/answers/629476/why-sa-cim-validator-app-is-not-loading-my-rawdata.html

a summary view of all the eventtypes that make up a tag would be useful such that it could be tackled by individual ETs

I run a Splunk User Group and the SA-cim-vladiator / SA-cim_validator was requested for a topic of a meeting by a user. Would you be interested in speaking at one of our virtual meeting?

The DM search seems to now call fields as DM.* type format, causing no values to be returned. Need to enhance the logic to perform | rename <<DM_NAME>>.* AS * in the pipeline to work around this.

While this command was a quick hack, it tosses errors when 0 input is fed, lets do this more gracefully..

Health Check: One or more apps ("SA-cim_vladiator-master") that had previously been imported are not exporting configurations globally to system. Configuration objects not exported to system will be unavailable in Enterprise Security.

https://docs.splunk.com/Documentation/Splunk/8.0.0/Admin/Apparchitectureandobjectownership

I would love to be able to be notified if my data has changed. The app is great, and it would be great to be able to specify a list of monitored sourcetypes that can be rechecked periodically (nightly?) so that I can get a notification of changes. Use case is that some log sources change periodically; I might have an upstream log source updated, and all of a sudden I would end up with new values for action that are not desired.

Identify the fields that ES actually uses, as from most DM's only handful are used, then suggest to the user that these must absolutely be present, otherwise ES won't look as pretty.

when field has only 1 value with 100% coverage, mvmath_result shows 0.01%

The Upgrade Readiness App reports "[t]his app is [in]compatible with Python 3."

Issue:
File path designates Python 2 library.
Incompatible File Paths
File Location

1. .../bin/mvmath.py

App:SA-cim_vladiator
File Path:.../bin/mvmath.py
Issue No.
Issues
1.
@@ -14,8 +14,9 @@

 # Mini 'six'-like compat layer
 import sys
+import six
 if sys.version_info[0] == 2:
-    string_types = (basestring,)
+    string_types = (six.string_types,)
 else:
     string_types = (str,)

Presently, logic is controlled by a case() statement, meaning only one "outcome" can be shown. This is fine, however, should the validatator show multiple outcomes?

present:
< 90% coverage

possible:
`< 90% coverage AND your data is junk``

So I wanted to see if you can help me make these updates by suggestions etc.

I would need to fix the items below in order to use your app in the cloud.

here is more info on the results below : http://dev.splunk.com/view/appinspect/SP-CAAAE9U

Check that when decompressed the Splunk App directory name matches the app.conf [package] stanza's id property. | The app.conf [package] stanza has an id property that does not match the uncompressed directory's name. app.conf [package] id: SA-cim_vladiator uncompressed directory name: SA-cim_vladiator-master

When valid IPv6 addresses are present in the dest_ip, dest, src_ip, or src fields, the CIM Validator flags all of the IPv6 addresses as "unexpected values" and marks that field as having elevated issues.
Please extend the validation for those fields to include IPv6 support.

I am able to install this successfully in on-prem, but when installing in Splunk cloud im able to see multiple errors attached below.

Failures will block the Cloud Vetting. They must be fixed.
check_that_extracted_splunk_app_does_not_contain_prohibited_directories_or_files

A prohibited file or directory was found in the extracted Splunk App: .gitignore

check_that_splunk_app_package_does_not_contain_files_outside_of_app

A file or folder was found outside of the app within the overall package. OR the file or folder does not have expected permission. Please remove this file or folder OR modify the permission : SA-cim_vladiator-1.8.0

check_simplexml_standards_version

Change the version attribute in the root node of your Simple XML dashboard default/data/ui/views/cim_dictionary.xml to `<version=1.1>`. Earlier dashboard versions introduce security vulnerabilities into your apps and are not permitted in Splunk Cloud File: default/data/ui/views/cim_dictionary.xml

Change the version attribute in the root node of your Simple XML dashboard default/data/ui/views/cim_validator.xml to `<version=1.1>`. Earlier dashboard versions introduce security vulnerabilities into your apps and are not permitted in Splunk Cloud File: default/data/ui/views/cim_validator.xml

It might useful to put a dropdown for how many events to try to pull back. sparse events like pan:config logs get awkward trying to pull back 10000 events. also allow to specify time range..

While using the app, came across the following:

Domain Analysis - not official data model
Compute Inventory - that's the name of the .json file, can it be named "Inventory" like official documentation?
Identity Management - not official data model
Incident Management - not official data model, changed to Ticket Management?
Risk - not official data model
Threat Intelligence - not official data model

Any chance on an upgrade?
Splunk cloud's upgrade readiness app is reporting:

Details
This app is not compatible with jQuery 3.5.
Version
1.8.0
Remote Version
1.8.0
Application Path
/opt/splunk/etc/apps/SA-cim_vladiator
Required Action
Update this app or request to uninstall it. If you do nothing, the app will fail in future Splunk upgrades that use jQuery 3.5.

Dismiss App

Email Result

Export Result
Issue:
Splunk dashboard jQuery version check
Incompatible File Paths
.../default/data/ui/views/cim_validator.xml
.../default/data/ui/views/cim_dictionary.xml

CIM Dictionary is outdated. Splunk's CIM version is at 4.18.0, but the CIM validator's dictionary is at 4.3.1.

How can we update the dictionary (build the csv)?

Splunk Cloud will soon require Python 3 compatibility. This is also required for Splunk Enterprise 8.0
From an e-mail from Splunk regarding Splunk Cloud:
"You are required to make all 3rd party and private apps in your Splunk Cloud instances compatible with Python 3 by August 1, 2020."

Python 3 Migration

I ran 2to3 against mvmath.py and mvrex.py, and it said changes needed to be done. However, since I'm not as familiar with python as I want to be, I don't want to blindy apply those changes and call it ok.

Attached is the output of 2to3
2to3-CIM-validator.txt

This field is not displayed on validation