All Apps and Add-ons
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Does the Common Information Model Add-on do anything out of the box?

hopnscotch
Path Finder
‎03-19-2014 06:43 AM

From everything I've read it looks like you just use the definitions in the model for fields and tags to alias or tag you events yourself. What does the add-on do?

0 Karma
Reply

aelliott
Motivator
‎03-19-2014 07:20 AM

Simply provides a standard method of parsing, categorizing, and normalizing data.

http://docs.splunk.com/Documentation/CIM/latest/User/Overview

The add-on is meant as an add-on, not an app. It is not meant to have a UI.
It's pretty powerful to display all your data into common formats. You can then create dashboards with those standard fields without having to re-invent the wheel every time.

There are several "CIM" compliant addons within the splunk apps and addons that some have already formatted popular logs into this format for you:
http://apps.splunk.com/apps/#/search/CIM%20compliant
http://apps.splunk.com/apps/#/search/Common%20Information%20Model
http://apps.splunk.com/apps/#/search/CIMifies

Reply

aelliott
Motivator
‎04-16-2014 11:29 AM

Correct.
The CIM provides normalization for many types of events and provides the data models for the Common Information Models.
In addition you can find other ones in the splunk apps.
Other than those resources, you have to create your own.

0 Karma
Reply

hopnscotch
Path Finder
‎04-16-2014 11:26 AM

I know there are other vendor specific add-ons that actually do the aliasing/normalization. From the answer above it looks like this add-on provides data models.

So any normalization actually needs to be done manually using the fields/tags from the model documentation (other than any vendor specific add-ons you can find).

Do I have that correct?

0 Karma
Reply

hazekamp
Builder
‎03-19-2014 12:20 PM

To build on aelliott's comments above, while this is not an app with a UI, we ship with approx 15 datamodels out of the box that can be used with the search app's Pivot interface. These can also be accelerated to provide a high performance column store that can be queried with "| tstats".

Reply
Get Updates on the Splunk Community!

Buttercup Games: Further Dashboarding Techniques (Part 7)

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...

Stay Connected: Your Guide to April Tech Talks, Office Hours, and Webinars!

What are Community Office Hours? Community Office Hours is an interactive 60-minute Zoom series where ...

Mastering Data Pipelines: Unlocking Value with Splunk

 In today's AI-driven world, organizations must balance the challenges of managing the explosion of data with ...
Top