Getting Data In

How to validate data which is uploaded to Splunk is as per CIM model

rupeshhiremath
Explorer

Hi,

In our application we have data in a specific format. We are converting this data to CIM model (say IntrusionDetection, Malware etc) and then uploading to Splunk.
Now once its get uploaded I want to verify from Splunk side whether that data is as per specific CIM model or not.
How to go ahead with this?

Tags (1)
0 Karma

Richfez
SplunkTrust
SplunkTrust

One useful thing is the CIM Validation datamodel. This can help to find what extractions are still missing or which are misnamed. You can install the CIM on a new test Splunk instance and feed a bit of the data to it and test, or if you are already pumping that data into your regular Splunk install, well, that's OK too. 🙂

I've also found usefulness from just cracking open the appropriate datamodel and doing some pivots. A lot can be determined if you have a reasonably well known set of data and run some confirming pivots on that data.

0 Karma

rupeshhiremath
Explorer

And more importantly there is no directory called $SPLUNK_HOME/etc/apps/Splunk_SA_CIM/default

0 Karma

rupeshhiremath
Explorer

My bad..I was looking at different Splunk instance 😞
I am able to see missing extractions using CIM Validation datamodel..thank you.

Now trying how can I use CIM Validation datamodel with python.

0 Karma

rupeshhiremath
Explorer

Yes, I went through CIM Validation datamodel but I am not able to make much out of it.
Could you please try to explain with example?

0 Karma

rupeshhiremath
Explorer

Hi rich7177,

Could you please elaborate more on this as I am new to Splunk. And more importantly I wanted to this with automation.

Thanks

0 Karma

piebob
Splunk Employee
Splunk Employee

Rupeshshiremath, did you try reviewing the link to the CIM Validation datamodel that Rich posted?

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...