Splunk Enterprise Security
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to find out which data model a particular app maps to?

tmkunte
Engager
‎06-09-2016 07:25 AM

How do I find out which data model a particular app "maps" to?

Specifically the Cisco security suite ...

I see it is CIM compatible and need to get that data into my SIEM

Labels (1)
Labels
0 Karma
Reply

nvonkorff
Path Finder
‎02-08-2022 07:24 PM

Hi @tmkunte 

I recently wrote an app (Data model wrangler) that helps with identifying indexes and sourcetypes that are mapped to data models and calculates two scores to determine an overall health-check of mapping:

  • Mapping quality - Percent of recommended fields in the data model that are found in each index/sourcetype
  • Data quality - Percent coverage of each field within the data, e.g. 25% of events have the 'src' field present

It also provides a field-level view of mapped data to determine which fields are present/missing and which fields have a low data quality.

This may help to give a better understanding of what is mapped to each data model. It is also useful when trying to map custom sourcetypes to data models.

0 Karma
Reply

ryanoconnor
Builder
‎06-09-2016 08:33 AM

The Cisco Security Suite App https://splunkbase.splunk.com/app/525/ searches data from a number of different cisco devices. Many of those devices have their own individual Technology Add-ons.

Those specific technology add-ons are what you're going to want to look at. They will have tags that determine which data model the data is going to go into. The Splunk Add-on for Cisco ASA is a great example. https://splunkbase.splunk.com/app/1620/

For more information on which tags go to which data models you can look at specific data models here: http://docs.splunk.com/Documentation/CIM/latest/User/Overview

0 Karma
Reply
Get Updates on the Splunk Community!

Data Management Digest – December 2025

Welcome to the December edition of Data Management Digest! As we continue our journey of data innovation, the ...

Index This | What is broken 80% of the time by February?

December 2025 Edition   Hayyy Splunk Education Enthusiasts and the Eternally Curious!    We’re back with this ...

Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...

Hello Splunk Community,   We're thrilled to share an exciting update that will help you manage your data more ...