Module 13: Using the Common Information Model (CIM) Add-On Flashcards
What is the Common Information Model (CIM)?
The Splunk Common Information Model provides a methodology to normalize data
When should leverage the Common Information Model (CIM)?
When creating field extractions, field aliases, event types, and tags to ensure:
- multiple apps can co-exist on a single Splunk deployment
- Object permissions can be set to global for the use of multiple apps
- Easier and more efficient correlation fo data from different sources and source types
How set pre-configured data models are there in Splunk?
22: Alerts Application State Authentication Certificates Change Analysis CIM Validation (S.o.S) Databases Email Interprocess Messaging Intrusion Detection Inventory Java Virtual Machines (JVM) Malware Network Resolution (DNS) Network Sessions Network Traffic Performance Splunk Audit Logs Ticket Management Updates Vulnerabilities Web
Are the data models included in the CIM add-on are configured with data model acceleration turned off?
Yes they are
How do you use the Common Information Model?
- Examine your data
- go to settings > data models
- identify a data model relevant to your dataset
(Best practice: Keep the CIM reference tables in Splunk docs page open in a separate tab) - Create event types & tags
- identify the CIM datasets relevant to your events
- observe which tags are required for that dataset or any parent datasets
- apply those tags to your events using event types - Create field aliases
- determine whether any existing fields in your data have different names than the names expected by the data models
- define field aliases to capture the field with a different name in your original data and map it to the field name that the CIM expects - Add missing fields
- create field extractions
- write lookups to add fields and normalize field values - Validate against data model
- use the datamodel command
- use Pivot in Splunk Web
What does the datamodel command allow you to do?
Allows user to examine data models and run the search for a datamodel object
What kind of command is the datamodel command and how should you use it?
It is a generating command and should be the first command in the pipeline
When using the datamodel command the object name and search keyword aren’t valid unless?
Preceded by the data model name. The command search cannot be substituted with a search string or name
When using the datamodel command what components are case sensitive?
The data model name and the dataset name are both case sensitive
What does the from command do?
Its retrieves data from a data model or named dataset and must be the first command in as search
How is the from command different from the datamodel command?
- datamodel returns all fields prepended with data model name
- from datamodel returns specified fields only
The from command can also?
Retrieve data from saved searches, reports, or lookup files