Splunk Enterprise

Help on basic questions about datamodel

jip31
Motivator

Hello

As far I understand, the Splunk datamodel has two main goals

1)  Data models enable users of Pivot to create compelling reports and dashboards without designing the searches that generate them.  So, the Pivot tool lets to report on a specific data set without the Splunk Search Processing Language 

2) It's possible to refer to the CIM data models to normalize different name of data having the same function

In this case, we need to normalize data by using tags, alias, eventtypes, etc...

  • Alerts
  • Application State
  • Authentication
  • Certificates
  • Databases
  • Data Loss Prevention
  • Email
    Interprocess Messaging
  • Intrusion Detection
  • Inventory
  • Java Virtual Machines
  • Malware
  • Network Resolution (DNS)
  • Network Sessions
  • Network Traffic
  • Performance
  • Ticket Management
  • Updates
  • Vulnerabilities
  • Web

Is it correct? Thanks

Labels (1)
Tags (1)
0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

I agree with #1.

As for #2, I believe it's the other way around.  CIM is what makes datamodels work.  Once the data has been normalized to use CIM field names, the tags and eventtypes used by the DMs become effective.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

0 Karma

richgalloway
SplunkTrust
SplunkTrust

I agree with #1.

As for #2, I believe it's the other way around.  CIM is what makes datamodels work.  Once the data has been normalized to use CIM field names, the tags and eventtypes used by the DMs become effective.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

New This Month in Splunk Observability Cloud - Metrics Usage Analytics, Enhanced K8s ...

The latest enhancements across the Splunk Observability portfolio deliver greater flexibility, better data and ...

Alerting Best Practices: How to Create Good Detectors

At their best, detectors and the alerts they trigger notify teams when applications aren’t performing as ...

Discover Powerful New Features in Splunk Cloud Platform: Enhanced Analytics, ...

Hey Splunky people! We are excited to share the latest updates in Splunk Cloud Platform 9.3.2408. In this ...