Splunk® Enterprise

Knowledge Manager Manual

Download manual as PDF

Understand and use the Common Information Model Add-on

The Common Information Model Add-on is based on the idea that you can break down most log files into two components:

  • fields
  • event category tags

With these two components a knowledge manager can set up their log files in a way that makes them easily processable by Splunk and which normalizes noncompliant log files and forces them to follow a similar schema. The Common Information Model details the standard fields and event category tags that Splunk uses when it processes most IT data.

In the past, the Common Information Model was represented here as a set of tables that one could use to normalize their data by ensuring that they were using the same field names and event tags for equivalent events from different sources or vendors.

We've since updated the Common Information Model. It's now set up as an Add-on that implements the CIM tables as data models. You can use these data models in two ways:

  • Initially, you can use them to test whether your fields and tags have been normalized correctly.
  • After you've verified that your data is normalized you can use the models to generate reports and dashboard panels via Pivot.

You can download the Common Information Model Add-on from Splunkbase here. For a more in-depth overview of the CIM Add-on, see the Common Information Model Add-on product documentation.

Develop naming conventions for knowledge objects
Manage knowledge object permissions

This documentation applies to the following versions of Splunk® Enterprise: 6.0, 6.0.1, 6.0.2, 6.0.3, 6.0.4, 6.0.5, 6.0.6, 6.0.7, 6.0.8, 6.0.9, 6.0.10, 6.0.11, 6.1, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, 6.1.10, 6.2.0, 6.2.1, 6.2.2, 6.2.3, 6.2.4, 6.2.5, 6.2.6, 6.2.7, 6.2.8, 6.2.9, 6.3.0, 6.3.1, 6.3.1511, 6.3.2, 6.3.3, 6.3.4, 6.4.0 View the Article History for its revisions.

Was this documentation topic helpful?

If you'd like to hear back from us, please provide your email address:

We'd love to hear what you think about this topic or the documentation as a whole
Feedback you enter here will be delivered to the documentation team

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters