- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Why doesn't my Data map to any Data models?
I have logs from switches being ingested, but the data doesn't conform to any standard data model. Is this possible or
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content

Hi @Will_powr you haven't shown us what your data looks like so it is not as simple as showing you "how". So I will direct you to some background information and the "why" regarding usage of the Splunk Common Information Model CIM and how it works in Splunk (with Data Models)
The What and the Why:
https://docs.splunk.com/Documentation/CIM/5.0.1/User/Overview
The How To:
https://docs.splunk.com/Documentation/CIM/5.0.1/User/Howtousethesereferencetables
It isn't necessary to normalize your data, but if you want your switch data to show up in a Splunk App that utilizes the CIM (maps fields from your data into the data models so that a search using the data model fields will work on your data automagically) you should look into it.
You can also go down this fun looking rabbit hole: https://lantern.splunk.com/Splunk_Platform/Data_Application/Data_Types/Network_switch_data
