Reporting

How do we map same field from CIM Mapping from different model?

Explorer

How do we map same field from CIM Mapping from different model?
-- Example.. from same sourcetype data is coming
field1 -- Map to Inventory model 'dest' field
field2-- Map to Alert model 'dest' field

Labels (1)
0 Karma
1 Solution

Hi Raj,

I'm not sure, if I understood your question correctly, you want use different fields from same sourcetype as dest field in CIM and other datamodel.

The easiest way to achieve this defining these fields as eval expression in both datamodel.
Check the attached screenshot.

accept & up-vote the answer if it helped.
alt text

View solution in original post

0 Karma

Esteemed Legend

You are misunderstanding. Just make sure that whatever is creating dest is promoted to Global level for permissions. Then all Data Model Accelerations will see it regardless of the Data Model.

0 Karma

Hi Raj,

I'm not sure, if I understood your question correctly, you want use different fields from same sourcetype as dest field in CIM and other datamodel.

The easiest way to achieve this defining these fields as eval expression in both datamodel.
Check the attached screenshot.

accept & up-vote the answer if it helped.
alt text

View solution in original post

0 Karma

SplunkTrust
SplunkTrust

I argue against modifying data models. Sometimes, it's necessary, but often not. All that is needed here is one or more fieldalias definitions to create the 'dest' field.

Modified data models will override any updates from Splunk so you may miss out on important changes.

---
If this reply helps you, an upvote would be appreciated.

Esteemed Legend

I agree; unless it is a data model that you created, I would avoid changing it unless absolutely necessary. In this case, it is definitely NOT absolutely necessary.

0 Karma

Explorer

Hello Gaurav,

Thank You its working.

0 Karma

SplunkTrust
SplunkTrust

It's just a field. Once you have the mapping from the source field to 'dest' it will work in all data models.

---
If this reply helps you, an upvote would be appreciated.
0 Karma