https://community.splunk.com/t5/Splunk-Dev/Splunk-CIM-model/m-p/529935#M9500 <P>I'm not sure if INGEST_EVAL can be applied to DBX data.&nbsp; I think it can, but am not positive.</P><P>Please post a new question about your summary index problem.</P><P>The concept behind CIM is to use common field names among your various sourcetypes so correlation of events is easier.&nbsp; CIM uses datamodels to do that, but you can do it yourself with careful onboarding (using aliases, for example).</P> Wed, 18 Nov 2020 15:21:52 GMT richgalloway 2020-11-18T15:21:52Z https://community.splunk.com/t5/Splunk-Dev/Splunk-CIM-model/m-p/529803#M9497 <P>Hi&nbsp;<BR />I have currently 5-6 index setup where consider <STRONG>abc </STRONG>as fieldname , which is extracted at index time and same fieldname is called with different name in different indexes like <STRONG>cde</STRONG>, <STRONG>efg</STRONG> . Now I&nbsp; want to create common field name for all these different fieldnames extracted at indextime.<BR />-What would be best way to achieve it and I want to take advantage of index time extracted fields?&nbsp;&nbsp;<BR />I checked CIM model but does not fit as per my data. so even if I created data model including all my index and then if I calculate fields to use one common name but it will not take any advantage of index time extracted fields.<BR /><BR /><BR /></P> Tue, 17 Nov 2020 18:21:26 GMT https://community.splunk.com/t5/Splunk-Dev/Splunk-CIM-model/m-p/529803#M9497 ips_mandar 2020-11-17T18:21:26Z https://community.splunk.com/t5/Splunk-Dev/Splunk-CIM-model/m-p/529819#M9498 <P>One method is to add INGEST_EVAL settings in the transforms.conf files for the various sourcetypes that write to those indexes.&nbsp; For example:</P><LI-CODE lang="markup">[setcommonnameabc] INGEST_EVAL commonfield=abc [setcommonnamecde] INGEST_EVAL commonfield=cde [setcommonnamedef] INGEST_EVAL commonfield=def</LI-CODE><P>&nbsp;</P> Tue, 17 Nov 2020 19:55:47 GMT https://community.splunk.com/t5/Splunk-Dev/Splunk-CIM-model/m-p/529819#M9498 richgalloway 2020-11-17T19:55:47Z https://community.splunk.com/t5/Splunk-Dev/Splunk-CIM-model/m-p/529891#M9499 <P>Thanks&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/213957">@richgalloway</a>&nbsp;&nbsp;<BR />some of my index data is coming from database using db connect app. so can I apply ingest-eval on that index as well?<BR />One more issue I am facing is that-&nbsp;<BR />I have summary index (test_summary_index)&nbsp; and I have <STRONG>abc</STRONG> fieldname in summary index as well. but problem is when I set fields.conf -<BR />[abc]<BR />indexed=true<BR /><BR />then splunk will try to search fieldname abc in metadata but it won't find any results for summary index .<BR />for ex. index="test_summary_index" abc="123"<BR />This query won't return any results.<BR />What could be solution for this issue?<BR />Can CIM be useful?<BR /><BR /><BR /></P> Wed, 18 Nov 2020 11:49:44 GMT https://community.splunk.com/t5/Splunk-Dev/Splunk-CIM-model/m-p/529891#M9499 ips_mandar 2020-11-18T11:49:44Z https://community.splunk.com/t5/Splunk-Dev/Splunk-CIM-model/m-p/529935#M9500 <P>I'm not sure if INGEST_EVAL can be applied to DBX data.&nbsp; I think it can, but am not positive.</P><P>Please post a new question about your summary index problem.</P><P>The concept behind CIM is to use common field names among your various sourcetypes so correlation of events is easier.&nbsp; CIM uses datamodels to do that, but you can do it yourself with careful onboarding (using aliases, for example).</P> Wed, 18 Nov 2020 15:21:52 GMT https://community.splunk.com/t5/Splunk-Dev/Splunk-CIM-model/m-p/529935#M9500 richgalloway 2020-11-18T15:21:52Z