Splunk Search

Developing a CIM compliant add-on, is it mandatory to map ALL my data fields to those of the data model's?

prabhasgupte
Communicator

When developing CIM compliant add-on, is it mandatory to map ALL of my data fields to the data model's fields?

Does that affect/keep my data from appearing in ES?

0 Karma

MichaelPriest
Communicator

No you don't have to map all of your fields when creating the data model. You may have 50 data fields but only want 25 in your data model, you set this when creating it, you specify the fields to include. Have a look at the Knowledge Manager Manual located here for more detail:

http://docs.splunk.com/Documentation/Splunk/6.2.3/Knowledge/WhatisSplunkknowledge

Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...