Using the Common Information Model

Question 1

What is the Common Information Model used for?

Answer 1

CIM provides a methodology for normalizing values to a common field name.

Question 2

Splunk ES relies heavily on CIM compliant data when:

Answer 2

• Searching Data
• Running Reports
• Creating Dashboards

Question 3

What are the steps necessary to use CIM with your data?

Answer 3

1. Getting Data In
2. Examine Data
3. Tag Events
4. Verify Tags
5. Normalize Fields
6. Validate Against Model
7. Package as Add-on

Question 4

What happens if your data does not have tags required by the CIM data model?

Answer 4

You won’t be able to run a pivot (the pivot will return 0 events).

Question 5

What data models are included within the Splunk CIM Add-On?

Answer 5

Alerts
Authentication
Certificates
Change
Data Access
Databases
Data Loss Prevention
Email
Endpoint
Event Signatures
Interprocess Messaging
Intrusion Detection
Inventory
Java Virtual Machines (JVM)
Malware
Network Resolution (DNS)
Network Sessions
Network Traffic
Performance
Splunk Audit Logs
Ticket Management
Updates
Vulnerabilities
Web

Question 6

By default, how is acceleration configured in the Splunk CIM add-on?

Answer 6

Turned off.

Question 7

Which Knowledge Objet does Splunk CIM use to normalize data?

Answer 7

• Field Aliases
• Event Types
• Tags
• Field Extractions
• Lookups