Splunk® Common Information Model Add-on

Common Information Model Add-on Manual

This documentation does not apply to the most recent version of Splunk® Common Information Model Add-on. For documentation on the most recent version, go to the latest release.

Use the Common Information Model

There are two ways to use the Common Information Model: mapping data to the model, and extracting information from the model.

Mapping data to the model

To map data to the model, a user must extract fields and apply tags to match the data model as defined in the CIM app. This process can be done manually through the user interface, or directly by configuring a set of files in an add-on. The resulting add-on is called a Technology Add-on, and can be used to provide a mapping of the source data to the data model wherever this mapping is useful. For more on the process of mapping data to models, see "Extract fields and assign tags". Advanced users may also want to read Data Source Integration Manual.

Extracting information from the model

To extract information from the data model, you can use a pivot table or a search command to produce a report. In many cases the report will already have been created, and you only need to understand how it works.

A data model contains information about a domain of knowledge (data). A pivot that uses that data model creates a search based on an object contained in that data model. The data returned from that search can be saved as a search, a dashboard, or a report.

From an application, a dashboard calls a saved search to gather data to populate a view. The search might use search macros; the searches and/or macros rely on data models that use tags and field names. The tags are set by matching event types, the field names are aliased or extracted from the raw data at search time.

If you are processing data of a particular type (using a data model), see the tag and field information for that data model in the Data models section of this manual. The tags and fields need to be mapped and extracted for that data model are listed.

For more information about data models and pivot, see "About data models" and "Introduction to Pivot" in the core Splunk documentation.

Last modified on 24 April, 2014
Install the add-on   Create searches, dashboards, reports

This documentation applies to the following versions of Splunk® Common Information Model Add-on: 3.0, 3.0.1, 3.0.2


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters