Take for example WinHostMon network or process inputs. The MACAddress field should be "mac". The process input should use "path" instead of "Path" since field names are case sensitive.
Most of the fields in the Nessus TA app are also not CIM compliant.
If Splunk wants to use fields like "Path" or "MACAddress" in the event to make it more human readable, at least provide field aliases to make those inputs CIM compliant.
Can somebody from Splunk please explain why so much of the content you develop is not consistent with the best practices you preach for everybody else? Every TA or input that you create should be CIM compliant out of the box. Your customers shouldn't have to spend time mapping your non-compliant fields to the CIM in order to make something like ES work.
Thank you for raising this question.
For Nessus TA:
Nessus TA (Splunk Add-on for Tenable) is designed to map CIM:Vulnerabilities and CIM:All_Inventory.OS. We have not mapped 'path' and 'mac', as these two CIM models have no 'path' or 'mac' field. (field ‘mac’ belong to CIM:All_Inventory.Network instead of CIM:All_Inventory.OS). Please feel free to let us know what data model you think should be mapped other than these two designed ones.
CIM has field like 'file_path', 'object_path', but it has no field named 'path'. CIM’s documentation can be found on page: http://docs.splunk.com/Documentation/CIM/4.6.0/User/
We will have an overview of other TAs and their CIM compliance. Do you have any other TAs that you find are not CIM compliant? We will have a further check on these TAs.