All Apps and Add-ons
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Which Pipeline Uses "CIM" to convert the fields in Splunk?

nandha_2
Engager
‎10-31-2016 03:20 AM

I am trying to understand which pipeline deals with CIM? We have four sets of pipelines - is it the indexing pipeline which uses CIM or Parsing Pipeline. Please let me know.

Thanks
nandha

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

rjthibod
Champion
‎10-31-2016 05:28 AM

This is kind of a big question, but I will try to be clear.

First, the Common Information Model (CIM) is not a specific step or process inside of Splunk. The CIM is basically a standardized set of fields, tags, and eventtypes. Think of it as a schema where the different data sources follow the rules of the schema by mapping their custom fields to the schema defined fields, e.g., aliasing a sourcetype-specific field "UserName" to the CIM-standard field "user".

In the most common cases, mapping sourcetype-specific fields to CIM is done at search-time, not at index-time. So my answer doesn't really meet your expectations, because search-time field extractions comes after the input, parsing, and indexing pipelines.

Now, one can do index-time field extraction to CIM-compliant names (which would be the parsing pipeline), but I would say that is not the norm. Most CIM-compliant mapping is done in the props.conf, transforms.conf, tags.conf, and eventtypes.conf files on a search-head.

More reading: http://docs.splunk.com/Documentation/CIM/4.6.0/User/UsetheCIMtonormalizedataatsearchtime

View solution in original post

Reply
Solved! Jump to solution
Solution

rjthibod
Champion
‎10-31-2016 05:28 AM

This is kind of a big question, but I will try to be clear.

First, the Common Information Model (CIM) is not a specific step or process inside of Splunk. The CIM is basically a standardized set of fields, tags, and eventtypes. Think of it as a schema where the different data sources follow the rules of the schema by mapping their custom fields to the schema defined fields, e.g., aliasing a sourcetype-specific field "UserName" to the CIM-standard field "user".

In the most common cases, mapping sourcetype-specific fields to CIM is done at search-time, not at index-time. So my answer doesn't really meet your expectations, because search-time field extractions comes after the input, parsing, and indexing pipelines.

Now, one can do index-time field extraction to CIM-compliant names (which would be the parsing pipeline), but I would say that is not the norm. Most CIM-compliant mapping is done in the props.conf, transforms.conf, tags.conf, and eventtypes.conf files on a search-head.

More reading: http://docs.splunk.com/Documentation/CIM/4.6.0/User/UsetheCIMtonormalizedataatsearchtime

Reply
Solved! Jump to solution

nandha_2
Engager
‎10-31-2016 06:14 AM

convincing for me.. thanks

0 Karma
Reply
Solved! Jump to solution

rjthibod
Champion
‎10-31-2016 06:26 AM

Glad to be helpful.

Please accept the answer if it satisfies your question.

0 Karma
Reply
Get Updates on the Splunk Community!

Your Guide to Splunk Digital Experience Monitoring

A flawless digital experience isn't just an advantage, it's key to customer loyalty and business success. But ...

Data Management Digest – November 2025

  Welcome to the inaugural edition of Data Management Digest! As your trusted partner in data innovation, the ...

Upcoming Webinar: Unmasking Insider Threats with Slunk Enterprise Security’s UEBA

Join us on Wed, Dec 10. at 10AM PST / 1PM EST for a live webinar and demo with Splunk experts! Discover how ...