Splunk Enterprise

How to make data CIM compatible

jip31
Motivator

Hello

I have great difficulties to understand where to begin for using the CIM datamodel

Is anybody can clearly summarize the different ways to apply a CIM datamodel in my own apps?

Thanks in advance

Labels (1)
Tags (1)
0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

You have to edit the DM to see the values, but it's much easier to read it from the manual.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

0 Karma

richgalloway
SplunkTrust
SplunkTrust

I'll presume you've read the CIM manual at https://docs.splunk.com/Documentation/CIM/5.3.1/User/Overview .  What specific questions do you have about what you read (or couldn't find)?

CIM is not an Easy Button.  That is, installing the app will not make your apps CIM-compliant.  Instead, you must add aliases, calculated fields, and/or other KOs so your app will produce CIM-compliant data.  The CIM manual lists the fields expected by each datamodel (not all fields are required).

Depending on your app, it's possible no DM will apply.  That's OK.

---
If this reply helps you, Karma would be appreciated.
0 Karma

jip31
Motivator

Imagine I have an app with Intrusion Detection data 

If I want to make my app CIM compliant I need to add aliases, tags and calculated fields like in the Intrusion Detection Datamodel ?

For example, if I have a field called "Alert level", I need to create an aliases in my app in order to rename it as "severity_id"?

Or is it better to create a own datamodel from my app and to query from this datamodel with tstats?

| tstats count from datamodel=TEST

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Don't create your own DM.  That defeats the purpose of CIM.

Your app should produce fields listed in the CIM manual for the Intrusion Detection model.  It doesn't have to produce all of the fields, but as many as apply to the data.  It also may have to adjust field values to match those expected by the DM ("high", "medium", "low", etc. in severity, for example).  Tag the data as expected by the DM.

---
If this reply helps you, Karma would be appreciated.
0 Karma

jip31
Motivator

when you say "to match those expected by the DM ("high", "medium", "low", etc. in severity, for example)", where I can see this information in the DM? 

0 Karma

richgalloway
SplunkTrust
SplunkTrust

You have to edit the DM to see the values, but it's much easier to read it from the manual.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...