splunk
diff --git a/‎README.md
-2 b/‎README.md
-2
diff --git a/‎README.txt
+10 b/‎README.txt
+10
diff --git a/‎README/alert_actions.conf.example
+28 b/‎README/alert_actions.conf.example
+28
diff --git a/‎README/alert_actions.conf.spec
+98 b/‎README/alert_actions.conf.spec
+98
diff --git a/‎README/commands.conf.spec
+9 b/‎README/commands.conf.spec
+9
diff --git a/‎README/datamodels.conf.spec
+19 b/‎README/datamodels.conf.spec
+19
diff --git a/‎README/inputs.conf.example
+6 b/‎README/inputs.conf.example
+6
diff --git a/‎README/inputs.conf.spec
+29 b/‎README/inputs.conf.spec
+29
diff --git a/‎README/restmap.conf.spec
+9 b/‎README/restmap.conf.spec
+9
@@ -0,0 +1,10 @@
+ReadMe
+Splunk Common Information Model 4.15.0
+
+Copyright (C) 2005-2018 Splunk Inc. All rights reserved.
+
+* For the Release Notes, What's New, and Getting Started documentation for this 
+release see: 
+     http://docs.splunk.com/Documentation/CIM/
+
+
@@ -0,0 +1,28 @@
+
+[my_action]
+
+...
+
+param._cam = {\
+    "category":   	   ["Information Gathering"],\
+    "task":       	   ["create"],\
+    "subject":         ["network.capture"],\
+    "technology":      [{"vendor": "Splunk", "product": "Splunk App for Stream"}],\
+    "supports_adhoc":  true,\
+    "drilldown_uri":   "my_view?form.orig_sid=$sid$&form.orig_rid=$rid$"\
+}
+
+
+[my_action2]
+
+...
+
+param._cam = {\
+    "category":   	     ["Information Gathering"],\
+    "task":       	     ["scan"],\
+    "subject":           ["process.reputation-service"],\
+    "technology":        [{"vendor": "myvendor", "product": "myproduct", "version": "1.0"}],\
+    "supports_adhoc":    true,\
+    "drilldown_uri":     "../my_app/my_view?form.orig_sid=$sid$&form.orig_rid=$rid$",\
+    "field_name_params": ["param.host_field"]\
+}
@@ -0,0 +1,98 @@
+
+param._cam = <json>
+    * Json specification for classifying response actions.
+    * See Appendix A.
+    * Optional.
+    * Defaults to None.
+
+param._cam_workers = <json>
+    * Json specification for defining remote workers.
+    * See Appendix B.
+    * Optional.
+    * Defaults to None.
+
+
+###### Appendix A: Common Action Model Specification #######
+## category:          The category or categories the modular action belongs to.
+##                    Required.
+##                    For instance, "Information Gathering".
+##                    See cam_categories.csv for recommended values.
+## task:              The function or functions performed by the modular action.
+##                    Required.
+##                    For instance, "create".
+##                    See cam_tasks.csv for recommended values.
+## subject:           The object or objects that the modular action's task(s)
+##                    can be performed on (i.e. "endpoint.file").
+##                    Required.
+##                    See cam_subjects.csv for recommended values.
+## technology:        The technology or technologies that the modular action supports.
+##                    Required.
+##                    vendor:  The vendor of the technology.
+##                        Required.
+##                        For instance, "Splunk".
+##                    product: The product of the technology.
+##                        Required.
+##                        For instance, "Enterprise".
+##                    version: The version or versions of the technology.
+##                        Optional.
+##                        For instance, "6.4".
+## drilldown_uri:     Specifies a custom target for viewing the events
+##                    outputted as a result of the action.
+##                    Custom target can specify app and/or view depending on syntax.
+##                    Optional.
+##                    For instance, "my_view?form.orig_sid=$sid$&form.orig_rid=$rid$"
+##                    For instance, "../my_app/my_view?form.orig_sid=$sid$&form.orig_rid=$rid$"
+## field_name_params: The param or params which represent the name of a result field.
+##                    Optional.
+##                    For instance, ["param.search_field"] indicates that the value of "param.search_field"
+##                    should be present as a field in the result or results being operated on.
+## required_params:   Parameter(s) required for successful action execution. 
+##                    Indicated by "*" in the custom alert action user interface. 
+##                    For instance, ["param.search_field"] indicates that "param.search_field"
+##                    should be specified when submitting the action on the custom alert action
+##                    user interface.
+##                    Optional.
+## supports_adhoc:    Specifies if the modular action supports adhoc invocations.
+##                    Optional.
+##                    Defaults to False.
+## supports_cloud:    Specifies if the modular actions supports the "cloud" model.
+##                    For instance, does the action function properly when the search head does not have access
+##                    to the local network.
+##                    Optional.
+##                    Defaults to True.
+## supports_workers:  Specifies if the modular actions supports remote workers.
+##                    supports_workers==True implies supports_cloud==True
+##                    Optional.
+##                    Defaults to False.
+#{
+#    "category":          ["<category>", ..., "<category">],
+#    "task":              ["<task>", ..., "<task>"],
+#    "subject":           ["<subject>", ..., "<subject>"],
+#    "technology":        [{ "vendor":  "<vendor>",
+#                            "product": "<product>",
+#                            "version": ["<version>", ..., "<version>"]
+#                          },
+#                          ...,
+#                          { "vendor":  "<vendor>",
+#                            "product": "<product>",
+#                            "version": ["<version>", ..., "<version>"]
+#                          }
+#                         ],
+#    "drilldown_uri":     "<uri>",
+#    "field_name_params": ["<param.param1>", ..., "<param.paramN>"],
+#    "required_params":   ["<param.param1>", ..., "<param.paramN>"]
+#    "supports_adhoc":    true | false,
+#    "supports_cloud":    true | false,
+#    "supports_workers":  true | false
+#}
+
+
+###### Appendix B: Common Action Model Remote Workers Specification #######
+## List of Splunk "serverName" values as advertised by /server/info
+##
+## Special "serverName" values:
+##    * "local" - action script will continue doing work locally in addition to
+##                queueing work for additional workers (if specified).
+##                
+##
+## [ "local"?, "worker1", "worker2", ..., "workern" ]
@@ -0,0 +1,9 @@
+
+[<STANZA_NAME>]
+python.version = {default|python|python2|python3}
+* Optional setting. Requires 8.0+
+* For Python scripts only, selects which Python version to use.
+* Set to either "default" or "python" to use the system-wide default Python
+  version.
+* Optional.
+* Default: Not set; uses the system-wide Python version.
@@ -0,0 +1,19 @@
+
+acceleration.allow_old_summaries = <bool>
+* Optional setting. Requires 7.1+
+* Sets the default value of 'allow_old_summaries' for this data model.
+* Only applies to accelerated datamodels.
+* When you use commands like 'datamodel', 'from', or 'tstats' to run a search 
+  on this data model, allow_old_summaries=false causes the Splunk software to
+  verify that the data model search in each bucket's summary metadata matches 
+  the scheduled search that currently populates the data model summary.
+  Summaries that fail this check are considered "out of date" and are not used 
+  to deliver results for your events search.
+* This setting helps with situations where the definition of an accelerated
+  data model has changed, but the Splunk software has not yet updated its
+  summaries to reflect this change. When allow_old_summaries=false for a data
+  model, an event search of that data model only returns results from bucket
+  summaries that match the current definition of the data model.
+* If you set allow_old_summaries=true, your search delivers results from
+  bucket summaries that are out of date with the current data model definition.
+* Default: false
@@ -0,0 +1,6 @@
+[relaymodaction://master]
+uri = https://master:8089
+description = splunk cloud search head
+username = username
+verify = True
+client_cert = client_cert.pem
@@ -0,0 +1,29 @@
+
+python.version = {default|python|python2|python3}
+* Optional setting. Requires 8.0+
+* For Python scripts only, selects which Python version to use.
+* Set to either "default" or "python" to use the system-wide default Python
+  version.
+* Optional.
+* Default: Not set; uses the system-wide Python version.
+
+[relaymodaction://<name>]
+uri = <string>
+* Remote splunk instance management URI.
+* Format should be protocol://host:port
+
+description = <string>
+* Description for the remote Splunk instance.
+
+username = <string>
+* Label pertaining to the API key stored in secure storage, must be unique.
+* Realm is "cam_queue".
+
+verify = <string>
+* Specifies if SSL verification is needed between worker and remote search head.
+* Defaults to True
+
+client_cert = <string>
+* Filename of client certificate.
+* Specify when SSL verification is needed, leave empty otherwise.
+* Certificate should be put in $splunk_home/etc/apps/Splunk_SA_CIM/auth
@@ -0,0 +1,9 @@
+
+[script:<uniqueName>]
+python.version={default|python|python2|python3}
+* Optional setting. Requires 8.0+
+* For Python scripts only, selects which Python version to use.
+* Set to either "default" or "python" to use the system-wide default Python
+  version.
+* Optional.
+* Default: Not set; uses the system-wide Python version.