In your Splunk deployment, data comes from multiple source types. As a result, the same values of data can occur under many different field names. For example, in the
access_combined source type, there is an IP address field named
clientip, which can include some of the same values as the
userip field in the
cisco_wsa_squid source type.
At search time, you want to normalize these different occurrences to a common structure and naming convention, allowing you to correlate events from both source types.
Splunk supports the use of a Common Information Model, or CIM, to provide a methodology for normalizing values to a common field name.
This video shows you:
- An introduction to the Common Information Model
- The benefits of making your data CIM-compliant
- How to install the CIM Add-On
- How to set up the CIM
- How to use field aliases to normalize your data fields
This article has been brought to you by Splunk Education. We’ve learned that the strongest superheroes up-skill with Splunk Education. That’s why we are making Splunk training easier and more accessible than ever with more than 20 self-paced, free eLearning courses. You can start with foundational courses like Intro to Splunk or dive into more advanced courses like Search Under the Hood, Result Modification, and many more. Enroll today so you have the skills to detect the good, the bad, and the unproductive.
In addition, these Splunk resources might help you understand and implement this use case:
- Product Tip: Writing better searches with the Common Information Model
- Splunk Docs: Common Information Model Add-on Manual
- Splunk Add-on: Common Information Model (CIM)
- Pytest Splunk Add-on: Documentation