Splunk Enterprise
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

How to make data CIM compatible

jip31
Motivator
‎02-15-2024 06:29 AM

Hello

I have great difficulties to understand where to begin for using the CIM datamodel

Is anybody can clearly summarize the different ways to apply a CIM datamodel in my own apps?

Thanks in advance

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎02-15-2024 10:09 AM

You have to edit the DM to see the values, but it's much easier to read it from the manual.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎02-15-2024 06:40 AM

I'll presume you've read the CIM manual at https://docs.splunk.com/Documentation/CIM/5.3.1/User/Overview .  What specific questions do you have about what you read (or couldn't find)?

CIM is not an Easy Button.  That is, installing the app will not make your apps CIM-compliant.  Instead, you must add aliases, calculated fields, and/or other KOs so your app will produce CIM-compliant data.  The CIM manual lists the fields expected by each datamodel (not all fields are required).

Depending on your app, it's possible no DM will apply.  That's OK.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

jip31
Motivator
‎02-15-2024 07:06 AM

Imagine I have an app with Intrusion Detection data 

If I want to make my app CIM compliant I need to add aliases, tags and calculated fields like in the Intrusion Detection Datamodel ?

For example, if I have a field called "Alert level", I need to create an aliases in my app in order to rename it as "severity_id"?

Or is it better to create a own datamodel from my app and to query from this datamodel with tstats?

| tstats count from datamodel=TEST

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎02-15-2024 07:30 AM

Don't create your own DM.  That defeats the purpose of CIM.

Your app should produce fields listed in the CIM manual for the Intrusion Detection model.  It doesn't have to produce all of the fields, but as many as apply to the data.  It also may have to adjust field values to match those expected by the DM ("high", "medium", "low", etc. in severity, for example).  Tag the data as expected by the DM.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

jip31
Motivator
‎02-15-2024 07:43 AM

when you say "to match those expected by the DM ("high", "medium", "low", etc. in severity, for example)", where I can see this information in the DM? 

0 Karma
Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎02-15-2024 10:09 AM

You have to edit the DM to see the values, but it's much easier to read it from the manual.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

Hello Splunkers,  We’re excited to kick off a Splunk Dashboard contest! We know that dashboards are a primary ...

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...