Using the Common Information Model (CIM) Add-On Flashcards Preview

Power User Splunk > Using the Common Information Model (CIM) Add-On > Flashcards

Flashcards in Using the Common Information Model (CIM) Add-On Deck (12)
Loading flashcards...
1
Q

What is the Common Information Model (CIM)?

A

The Splunk Common Information Model provides a methodology to normalize data

2
Q

When should leverage the Common Information Model (CIM)?

A

When creating field extractions, field aliases, event types, and tags to ensure:

  • multiple apps can co-exist on a single Splunk deployment
  • Object permissions can be set to global for the use of multiple apps
  • Easier and more efficient correlation fo data from different sources and source types
3
Q

How set pre-configured data models are there in Splunk?

A
22:
Alerts
Application State
Authentication
Certificates
Change Analysis
CIM Validation (S.o.S)
Databases
Email
Interprocess Messaging
Intrusion Detection
Inventory
Java Virtual Machines (JVM)
Malware
Network Resolution (DNS)
Network Sessions
Network Traffic
Performance
Splunk Audit Logs
Ticket Management
Updates 
Vulnerabilities
Web
4
Q

Are the data models included in the CIM add-on are configured with data model acceleration turned off?

A

Yes they are

5
Q

How do you use the Common Information Model?

A
  1. Examine your data
    - go to settings > data models
    - identify a data model relevant to your dataset
    (Best practice: Keep the CIM reference tables in Splunk docs page open in a separate tab)
  2. Create event types & tags
    - identify the CIM datasets relevant to your events
    - observe which tags are required for that dataset or any parent datasets
    - apply those tags to your events using event types
  3. Create field aliases
    - determine whether any existing fields in your data have different names than the names expected by the data models
    - define field aliases to capture the field with a different name in your original data and map it to the field name that the CIM expects
  4. Add missing fields
    - create field extractions
    - write lookups to add fields and normalize field values
  5. Validate against data model
    - use the datamodel command
    - use Pivot in Splunk Web
6
Q

What does the datamodel command allow you to do?

A

Allows user to examine data models and run the search for a datamodel object

7
Q

What kind of command is the datamodel command and how should you use it?

A

It is a generating command and should be the first command in the pipeline

8
Q

When using the datamodel command the object name and search keyword aren’t valid unless?

A

Preceded by the data model name. The command search cannot be substituted with a search string or name

9
Q

When using the datamodel command what components are case sensitive?

A

The data model name and the dataset name are both case sensitive

10
Q

What does the from command do?

A

Its retrieves data from a data model or named dataset and must be the first command in as search

11
Q

How is the from command different from the datamodel command?

A
  • datamodel returns all fields prepended with data model name
  • from datamodel returns specified fields only
12
Q

The from command can also?

A

Retrieve data from saved searches, reports, or lookup files