Splunk Enterprise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to make data CIM compatible

jip31
Motivator
‎02-15-2024 06:29 AM

Hello

I have great difficulties to understand where to begin for using the CIM datamodel

Is anybody can clearly summarize the different ways to apply a CIM datamodel in my own apps?

Thanks in advance

Labels (1)
Labels
Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎02-15-2024 10:09 AM

You have to edit the DM to see the values, but it's much easier to read it from the manual.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎02-15-2024 06:40 AM

I'll presume you've read the CIM manual at https://docs.splunk.com/Documentation/CIM/5.3.1/User/Overview .  What specific questions do you have about what you read (or couldn't find)?

CIM is not an Easy Button.  That is, installing the app will not make your apps CIM-compliant.  Instead, you must add aliases, calculated fields, and/or other KOs so your app will produce CIM-compliant data.  The CIM manual lists the fields expected by each datamodel (not all fields are required).

Depending on your app, it's possible no DM will apply.  That's OK.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

jip31
Motivator
‎02-15-2024 07:06 AM

Imagine I have an app with Intrusion Detection data 

If I want to make my app CIM compliant I need to add aliases, tags and calculated fields like in the Intrusion Detection Datamodel ?

For example, if I have a field called "Alert level", I need to create an aliases in my app in order to rename it as "severity_id"?

Or is it better to create a own datamodel from my app and to query from this datamodel with tstats?

| tstats count from datamodel=TEST

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎02-15-2024 07:30 AM

Don't create your own DM.  That defeats the purpose of CIM.

Your app should produce fields listed in the CIM manual for the Intrusion Detection model.  It doesn't have to produce all of the fields, but as many as apply to the data.  It also may have to adjust field values to match those expected by the DM ("high", "medium", "low", etc. in severity, for example).  Tag the data as expected by the DM.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

jip31
Motivator
‎02-15-2024 07:43 AM

when you say "to match those expected by the DM ("high", "medium", "low", etc. in severity, for example)", where I can see this information in the DM? 

0 Karma
Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎02-15-2024 10:09 AM

You have to edit the DM to see the values, but it's much easier to read it from the manual.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

How to Monitor Google Kubernetes Engine (GKE)

We’ve looked at how to integrate Kubernetes environments with Splunk Observability Cloud, but what about ...

Index This | How can you make 45 using only 4?

October 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Splunk Education Goes to Washington | Splunk GovSummit 2024

If you’re in the Washington, D.C. area, this is your opportunity to take your career and Splunk skills to the ...