Why doesn't my Data map to any Data models? - Splunk Community

Knowledge Management

I have logs from switches being ingested, but the data doesn't conform to any standard data model. Is this possible or

Hi @Will_powr you haven't shown us what your data looks like so it is not as simple as showing you "how". So I will direct you to some background information and the "why" regarding usage of the Splunk Common Information Model CIM and how it works in Splunk (with Data Models)
The What and the Why:
https://docs.splunk.com/Documentation/CIM/5.0.1/User/Overview

The How To:
https://docs.splunk.com/Documentation/CIM/5.0.1/User/Howtousethesereferencetables

It isn't necessary to normalize your data, but if you want your switch data to show up in a Splunk App that utilizes the CIM (maps fields from your data into the data models so that a search using the data model fields will work on your data automagically) you should look into it.

You can also go down this fun looking rabbit hole: https://lantern.splunk.com/Splunk_Platform/Data_Application/Data_Types/Network_switch_data

With Splunk... the answer is always "YES!". It just might require more regex than you're prepared for!

Get Updates on the Splunk Community!

Splunk Observability Cloud’s AI Assistant in Action Series: Analyzing and ...

This is the second post in our Splunk Observability Cloud’s AI Assistant in Action series, in which we look at ...

Elevate Your Organization with Splunk’s Next Platform Evolution

Thursday, July 10, 2025 | 11AM PDT / 2PM EDT Whether you're managing complex deployments or looking to ...

Splunk Answers Content Calendar, June Edition

Get ready for this week’s post dedicated to Splunk Dashboards! We're celebrating the power of community by ...