Getting Data In

Validate logs to CIM Validation (S.o.S.)

test_qweqwe
Builder

For example, I have task "validate fortinet logs to CIM Validation (S.o.S.)".
1) What it's mean and why we need do it?
2) How do i do this?

0 Karma
1 Solution

esix_splunk
Splunk Employee
Splunk Employee

First, you need to understand what the Common Information Model is, then perhaps your questions are easy to answer.

The Splunk Common Information Model (CIM) is a shared semantic model focused on extracting value from data. The CIM is implemented as an add-on that contains a collection of data models, documentation, and tools that support the consistent, normalized treatment of data for maximum efficiency at search time.

The CIM add-on contains a collection of preconfigured data models that you can apply to your data at search time. Each data model in the CIM consists of a set of field names and tags that define the least common denominator of a domain of interest. You can use these data models to normalize and validate data at search time, accelerate key data in searches and dashboards, or create new reports and visualizations with Pivot.

The add-on also contains several tools that are intended to make analysis, validation, and alerting easier and more consistent. These tools include a custom command for CIM validation and a common action model, which is the common information model for custom alert actions. See Approaches to using the CIM for more information about the tools available in the CIM add-on.

This is from the Docs page @ http://docs.splunk.com/Documentation/CIM/4.9.1/User/Overview

I'd recommend reading this for a full understanding of what the CIM is used for. But as a very general and broad statement, its a way to normalize events from many data sources to a common naming convention so that you can write one search that will return results from various data sources. As an example, different network vendors use different field names for the source ip address field, e.g., some will use source or source_ip or src_ip src_ip_address. With that, you would have to write a search that would look for all those fields.

With CIM, you can write one search that looks for src_ip and if your data sources are all CIM validated, that search will work for all the data sources.

Again, there's a lot more then what I have outlined, I recommend reading the full docs for CIM to understand its full potential.

View solution in original post

esix_splunk
Splunk Employee
Splunk Employee

First, you need to understand what the Common Information Model is, then perhaps your questions are easy to answer.

The Splunk Common Information Model (CIM) is a shared semantic model focused on extracting value from data. The CIM is implemented as an add-on that contains a collection of data models, documentation, and tools that support the consistent, normalized treatment of data for maximum efficiency at search time.

The CIM add-on contains a collection of preconfigured data models that you can apply to your data at search time. Each data model in the CIM consists of a set of field names and tags that define the least common denominator of a domain of interest. You can use these data models to normalize and validate data at search time, accelerate key data in searches and dashboards, or create new reports and visualizations with Pivot.

The add-on also contains several tools that are intended to make analysis, validation, and alerting easier and more consistent. These tools include a custom command for CIM validation and a common action model, which is the common information model for custom alert actions. See Approaches to using the CIM for more information about the tools available in the CIM add-on.

This is from the Docs page @ http://docs.splunk.com/Documentation/CIM/4.9.1/User/Overview

I'd recommend reading this for a full understanding of what the CIM is used for. But as a very general and broad statement, its a way to normalize events from many data sources to a common naming convention so that you can write one search that will return results from various data sources. As an example, different network vendors use different field names for the source ip address field, e.g., some will use source or source_ip or src_ip src_ip_address. With that, you would have to write a search that would look for all those fields.

With CIM, you can write one search that looks for src_ip and if your data sources are all CIM validated, that search will work for all the data sources.

Again, there's a lot more then what I have outlined, I recommend reading the full docs for CIM to understand its full potential.

test_qweqwe
Builder

I found this:
docs.splunk.com/Documentation/CIM/4.9.1/User/UsetheCIMtovalidateyourdata#Use_the_CIM_Validation_.28S.o.S..29_datamodel
But still not understand how use it 😞

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...