Skip to main content
Registration for .conf24 is open! Join us June 11-14 in Las Vegas.
Splunk Lantern

Normalizing values to a common field name with the Common Information Model (CIM)


In your Splunk deployment, data comes from multiple source types. As a result, the same values of data can occur under many different field names. For example, in the access_combined source type, there is an IP address field named clientip, which can include some of the same values as the userip field in the cisco_wsa_squid source type.

At search time, you want to normalize these different occurrences to a common structure and naming convention, allowing you to correlate events from both source types.


Splunk supports the use of a Common Information Model, or CIM, to provide a methodology for normalizing values to a common field name.

This video shows you:

  • An introduction to the Common Information Model
  • The benefits of making your data CIM-compliant
  • How to install the CIM add-On
  • How to set up the CIM
  • How to use field aliases to normalize your data fields

Next steps

This article has been brought to you by Splunk Education. We’ve learned that the strongest superheroes up-skill with Splunk Education. That’s why we are making Splunk training easier and more accessible than ever with more than 20 self-paced, free eLearning courses. You can start with foundational courses like Intro to Splunk or dive into more advanced courses like Search Under the HoodResult Modification, and many more. Enroll today so you have the skills to detect the good, the bad, and the unproductive.

In addition, these Splunk resources might help you understand and implement this use case: