Normalizing values to a common field name with the Common Information Model (CIM)

Last updated
Save as PDF
Share
1. Share
2. Tweet
3. Share

In your Splunk deployment, data comes from multiple source types. As a result, the same values of data can occur under many different field names. For example, in the access_combined source type, there is an IP address field named clientip, which can include some of the same values as the userip field in the cisco_wsa_squid source type.

At search time, you want to normalize these different occurrences to a common structure and naming convention, allowing you to correlate events from both source types.

Solution

Splunk supports the use of a Common Information Model, or CIM, to provide a methodology for normalizing values to a common field name.

This video shows you:

An introduction to the Common Information Model
The benefits of making your data CIM-compliant
How to install the CIM add-On
How to set up the CIM
How to use field aliases to normalize your data fields

Next steps

This article has been brought to you by Splunk Education. We’ve learned that the strongest superheroes up-skill with Splunk Education. That’s why we are making Splunk training easier and more accessible than ever with more than 20 self-paced, free eLearning courses. You can start with foundational courses like Intro to Splunk or dive into more advanced courses like Search Under the Hood, Result Modification, and many more. Enroll today so you have the skills to detect the good, the bad, and the unproductive.

In addition, these Splunk resources might help you understand and implement this use case:

Product Tip: Writing better searches with the Common Information Model
Splunk Docs: Common Information Model Add-on Manual
Splunk Add-on: Common Information Model (CIM)
Pytest Splunk Add-on: Documentation