Archive
Highlighted

Validate logs to CIM Validation (S.o.S.)

Builder

For example, I have task "validate fortinet logs to CIM Validation (S.o.S.)".
1) What it's mean and why we need do it?
2) How do i do this?

0 Karma
Highlighted

Re: Validate logs to CIM Validation (S.o.S.)

Builder

I found this:
docs.splunk.com/Documentation/CIM/4.9.1/User/UsetheCIMtovalidateyourdata#UsetheCIMValidation.28S.o.S..29_datamodel
But still not understand how use it 😞

0 Karma
Highlighted

Re: Validate logs to CIM Validation (S.o.S.)

Splunk Employee
Splunk Employee

First, you need to understand what the Common Information Model is, then perhaps your questions are easy to answer.

The Splunk Common Information Model (CIM) is a shared semantic model focused on extracting value from data. The CIM is implemented as an add-on that contains a collection of data models, documentation, and tools that support the consistent, normalized treatment of data for maximum efficiency at search time.

The CIM add-on contains a collection of preconfigured data models that you can apply to your data at search time. Each data model in the CIM consists of a set of field names and tags that define the least common denominator of a domain of interest. You can use these data models to normalize and validate data at search time, accelerate key data in searches and dashboards, or create new reports and visualizations with Pivot.

The add-on also contains several tools that are intended to make analysis, validation, and alerting easier and more consistent. These tools include a custom command for CIM validation and a common action model, which is the common information model for custom alert actions. See Approaches to using the CIM for more information about the tools available in the CIM add-on.

This is from the Docs page @ http://docs.splunk.com/Documentation/CIM/4.9.1/User/Overview

I'd recommend reading this for a full understanding of what the CIM is used for. But as a very general and broad statement, its a way to normalize events from many data sources to a common naming convention so that you can write one search that will return results from various data sources. As an example, different network vendors use different field names for the source ip address field, e.g., some will use source or source_ip or src_ip srcipaddress. With that, you would have to write a search that would look for all those fields.

With CIM, you can write one search that looks for src_ip and if your data sources are all CIM validated, that search will work for all the data sources.

Again, there's a lot more then what I have outlined, I recommend reading the full docs for CIM to understand its full potential.

View solution in original post