Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to validate data which is uploaded to Splunk is as per CIM model

rupeshhiremath
Explorer
‎05-06-2016 12:38 AM

Hi,

In our application we have data in a specific format. We are converting this data to CIM model (say IntrusionDetection, Malware etc) and then uploading to Splunk.
Now once its get uploaded I want to verify from Splunk side whether that data is as per specific CIM model or not.
How to go ahead with this?

Tags (1)
0 Karma
Reply

Richfez
SplunkTrust
SplunkTrust
‎05-07-2016 07:00 PM

One useful thing is the CIM Validation datamodel. This can help to find what extractions are still missing or which are misnamed. You can install the CIM on a new test Splunk instance and feed a bit of the data to it and test, or if you are already pumping that data into your regular Splunk install, well, that's OK too. 🙂

I've also found usefulness from just cracking open the appropriate datamodel and doing some pivots. A lot can be determined if you have a reasonably well known set of data and run some confirming pivots on that data.

0 Karma
Reply

rupeshhiremath
Explorer
‎05-25-2016 01:59 AM

And more importantly there is no directory called $SPLUNK_HOME/etc/apps/Splunk_SA_CIM/default

0 Karma
Reply

rupeshhiremath
Explorer
‎05-29-2016 06:07 AM

My bad..I was looking at different Splunk instance 😞
I am able to see missing extractions using CIM Validation datamodel..thank you.

Now trying how can I use CIM Validation datamodel with python.

0 Karma
Reply

rupeshhiremath
Explorer
‎05-25-2016 01:55 AM

Yes, I went through CIM Validation datamodel but I am not able to make much out of it.
Could you please try to explain with example?

0 Karma
Reply

rupeshhiremath
Explorer
‎05-09-2016 04:45 AM

Hi rich7177,

Could you please elaborate more on this as I am new to Splunk. And more importantly I wanted to this with automation.

Thanks

0 Karma
Reply

piebob
Splunk Employee
Splunk Employee
‎05-09-2016 07:21 AM

Rupeshshiremath, did you try reviewing the link to the CIM Validation datamodel that Rich posted?

0 Karma
Reply
Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...