All Apps and Add-ons
Highlighted

How to best normalize fields for Splunk Common Information Model (CIM)?

Path Finder

Hello folks,

I was wondering if you could help me with a dilemma about PERFORMANCE.

I'm normalizing fields in order to use them with Splunk Common Information Model (CIM) and I don't know if using the extraction method like this:

props.conf:
[(?::){0}opsec*]
REPORT-rule_as_rule_id = rule_as_rule_id

transforms.conf:
[rule_as_rule_id]
REGEX = rule=(\w+)
FORMAT = rule_id::$1

OR just use the FIELDALIAS like this:

props.conf:
[(?::){0}opsec*]
FIELDALIAS-opsec_cim_fields = rule_id as rule_id

Can you help me to understand what is the best method, if any?

Thank you in advance!

0 Karma
Highlighted

Re: How to best normalize fields for Splunk Common Information Model (CIM)?

SplunkTrust
SplunkTrust

Field-aliases can be a bigger determent to performance. Martinmueller (https://answers.splunk.com/users/134323/martinmueller.html) could probably answer this better than I can with his fantastic .conf talk on the subject: http://conf.splunk.com/session/2015/conf2015_MMueller_Consist_Deploying_OptimizingSplunkKnowledge.pd...

My take-away is - I wouldn't spend a whole lot of time fixing existing sourcetypes, but if you're doing it for a new sourcetype then i'd utilize a regex.

View solution in original post

Highlighted

Re: How to best normalize fields for Splunk Common Information Model (CIM)?

Path Finder

Thank you for your answer! I'll try this approach.

0 Karma