Normalizing values to a common field name with the Common Information Model (CIM)
In your Splunk deployment, data comes from multiple source types. As a result, the same values of data can occur under many different field names. For example, in the access_combined
source type, there is an IP address field named clientip
, which can include some of the same values as the userip
field in the cisco_wsa_squid
source type.
At search time, you want to normalize these different occurrences to a common structure and naming convention, allowing you to correlate events from both source types.
Solution
Splunk supports the use of a Common Information Model, or CIM, to provide a methodology for normalizing values to a common field name.
This video shows you:
- An introduction to the Common Information Model
- The benefits of making your data CIM-compliant
- How to install the CIM Add-On
- How to set up the CIM
- How to use field aliases to normalize your data fields
Next steps
In addition, these Splunk resources might help you understand and implement this use case:
- Product Tip: Writing better searches with the Common Information Model
- Splunk Docs: Common Information Model Add-on Manual
- Splunk Add-on: Common Information Model (CIM)
- Pytest Splunk Add-on: Documentation