All Apps and Add-ons
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Apps & Add-ons
- :
- All Apps and Add-ons
- :
- Splunk Common Information Model (CIM): Applying mu...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
jinloes
Engager
11-30-2017
11:27 AM
How can I handle the case where I want to apply multiple CIM models to my sourcetype but 2 CIMs have the same field but have different meaning (as in they would be evaled from different fields)?
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
woodcock
Esteemed Legend
11-30-2017
06:37 PM
The basic principle is: do not modify the CIM so your options are limited; you can:
A: Use a similar field that is supported such as src_ip or src_name.
B: Duplicate the event and send the original with one field mapping to one data model and the duplicate with the other mapping to the other data model. Your options here are: B1: summary index or B2: CLONE_SOURCETYPE.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
woodcock
Esteemed Legend
11-30-2017
06:37 PM
The basic principle is: do not modify the CIM so your options are limited; you can:
A: Use a similar field that is supported such as src_ip or src_name.
B: Duplicate the event and send the original with one field mapping to one data model and the duplicate with the other mapping to the other data model. Your options here are: B1: summary index or B2: CLONE_SOURCETYPE.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
woodcock
Esteemed Legend
11-30-2017
02:47 PM
I think you are toast but am curious about the particulars. What are the source/sourcetype of your event and what 2 datamodels and what field (I assume the field is action)?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
jinloes
Engager
11-30-2017
04:55 PM
I'm trying to map one of our internal events to the Alert and Network Traffic CIM models because it contains information relevant to both models. I'm interested in the src field of both models but src means different things in both models so the source values needs to be different. Is there any way to handle that case?
Get Updates on the Splunk Community!
Detecting Brute Force Account Takeover Fraud with Splunk
This article is the second in a three-part series exploring advanced fraud detection techniques using Splunk. ...
Buttercup Games: Further Dashboarding Techniques (Part 9)
This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...
Buttercup Games: Further Dashboarding Techniques (Part 8)
This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...
