Splunk® Enterprise

Knowledge Manager Manual

Download manual as PDF

Download topic as PDF

Understand and use the Common Information Model Add-on

The Common Information Model Add-on is based on the idea that you can break down most log files into two components:

  • fields
  • event category tags

With these two components, a knowledge manager can normalize log files at search time so that they follow a similar schema. The Common Information Model details the standard fields and event category tags that Splunk software uses when it processes most IT data.

In the past, the Common Information Model was represented here as a set of tables that you could use to normalize your data by ensuring that they were using the same field names and event tags for equivalent events from different sources or vendors.

Now, the Common Information Model is delivered as an add-on that implements the CIM tables as data models. You can use these data models in two ways:

  • Initially, you can use them to test whether your fields and tags have been normalized correctly.
  • After you have verified that your data is normalized, you can use the models to generate reports and dashboard panels via Pivot.

You can download the Common Information Model Add-on from Splunkbase here. For a more in-depth overview of the CIM add-on, see the Common Information Model Add-on product documentation.

PREVIOUS
Develop naming conventions for knowledge objects
  NEXT
Manage knowledge object permissions

This documentation applies to the following versions of Splunk® Enterprise: 6.0, 6.0.1, 6.0.2, 6.0.3, 6.0.4, 6.0.5, 6.0.6, 6.0.7, 6.0.8, 6.0.9, 6.0.10, 6.0.11, 6.0.12, 6.0.13, 6.0.14, 6.1, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, 6.1.10, 6.1.11, 6.1.12, 6.1.13, 6.2.0, 6.2.1, 6.2.2, 6.2.3, 6.2.4, 6.2.5, 6.2.6, 6.2.7, 6.2.8, 6.2.9, 6.2.10, 6.2.11, 6.2.12, 6.2.13, 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.3.8, 6.3.9, 6.3.10, 6.4.0, 6.4.1, 6.4.2, 6.4.3, 6.4.4, 6.4.5, 6.4.6, 6.5.0, 6.5.1, 6.5.1612 (Splunk Cloud only), 6.5.2


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters