Normalization
Data normalization is a way to ingest and store your data in Splunk using a common format for consistency and efficiency. When ingesting a new data source or when reviewing existing data, consider whether it follows the same format for data of similar types and categories. When performing a search or scheduling searches, this will save time and increase performance.
What are the benefits of normalization?
Correct data ingestion produces many benefits that make implementing other solutions easier. It allows your team to focus on the analysis and prioritization tasks that are most important to your organization.
- Reliable and consistent format of data
- Easier to implement alerts and correlation rules
- Easier to implement apps and add-ons
- Increased confidence and data integrity
What are normalization best practices?
It is important to ingest your machine data in such a way that it can be utilized by other security tools. This must be done in such a way that there is data integrity and it is reliable. Some best practices to follow are:
- Use the Common Information Model (CIM).
- Follow documented best practice procedures.
- Regularly review data quality.
Where can I learn more about normalizing my data?
Splunk recommends following this prescriptive adoption motion: Splunk Adoption Maturity: Data Sources and Normalization. This guide walks you step-by-step through planning, data source onboarding, using the CIM and data models, and measuring your success.
These additional resources will help you implement this guidance:
- Product tip: Onboarding data to Splunk Enterprise Security
- Getting Started Guide: Getting data into ES
- .Conf session: Data onboarding: Where do I begin?