Understand and use the Common Information Model Add-on
The Common Information Model Add-on is based on the idea that you can break down most log files into two components:
- event category tags
With these two components a knowledge manager can set up their log files in a way that makes them easily processable by Splunk and which normalizes noncompliant log files and forces them to follow a similar schema. The Common Information Model details the standard fields and event category tags that Splunk uses when it processes most IT data.
In the past, the Common Information Model was represented here as a set of tables that one could use to normalize their data by ensuring that they were using the same field names and event tags for equivalent events from different sources or vendors.
We've since updated the Common Information Model. It's now set up as an Add-on that implements the CIM tables as data models. You can use these data models in two ways:
- Initially, you can use them to test whether your fields and tags have been normalized correctly.
- After you've verified that your data is normalized you can use the models to generate reports and dashboard panels via Pivot.
You can download the Common Information Model Add-on from Splunkbase here. For a more in-depth overview of the CIM Add-on, see the Common Information Model Add-on product documentation.
Develop naming conventions for knowledge objects
Manage knowledge object permissions
This documentation applies to the following versions of Splunk® Enterprise: 6.0, 6.0.1, 6.0.2, 6.0.3, 6.0.4, 6.0.5, 6.0.6, 6.0.7, 6.0.8, 6.0.9, 6.0.10, 6.0.11, 6.1, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, 6.1.10, 6.2.0, 6.2.1, 6.2.2, 6.2.3, 6.2.4, 6.2.5, 6.2.6, 6.2.7, 6.2.8, 6.2.9, 6.3.0, 6.3.1, 6.3.1511, 6.3.2, 6.3.3, 6.3.4, 6.4.0