Non-CIM complaint mapping for cloud storage data

Use the following table to map the Splunk CIM field name to the non-CIM field name for cloud storage data. You can use the impala field names to validate the mapping values. The SPL examples show how to adjust field names and values to get cloud storage data into Splunk UBA correctly:

Splunk CIM field name	Non-CIM field name example	Impala table field (fileaccess_s)	Example values ((Field_name, Filed_value)	SPL example
file_size	FILE_SIZE_BYTE	resourcesize	(FILE_SIZE_BYTE: 10280)	rename FILE_SIZE_BYTE as file_size
object	SOURCE_FILE_NAME	resourcename	(SOURCE_FILE_NAME,'this_picture.png')	rename SOURCE_FILE_NAME as object
object_type	ITEM_TYPE	resourcetype	ITEM_TYPE, 'File') (ITEM_TYPE, 'Folder') (ITEM_TYPE, 'Document') (ITEM_TYPE, 'Image')	rename ITEM_TYPE as object_type
file_hash	ITEM_UNIQUE_ID	resourceid	(ITEM_UNIQUE_ID, '17283982137')	rename ITEM_UNIQUE_ID as file_hash
object_path	FILE_PATH	source	(FILE_PATH, '/bpatinho/photos')	rename FilePath as object_path
parent_category	PARENT_RS_TYPE	parentpathtype	(PARENT_RS_TYPE, 'Folder') (PARENT_RS_TYPE, 'Link')	rename PARENT_RS_TYPE as parent_category
parent_hash	PARENT_HASH_ID	parentpathid	(PARENT_HASH_ID, '9864239674')	rename PARENT_HASH_ID as parent_hash
src_user	SRC_USER	source	(SRC_USER, 'user1') (SRC_USER,'user2')	rename SRC_USER as src_user
change_type	OPERATION	evcls	(Operation,' FileDownload') (OPERATION,'FILEPREVIEW') (OPERATION,'FILEDELETE') (OPERATION,'FILECREATE') (OPERATION,'FILEEDIT')	| eval change_type=case(match(lower(change_type), "FILEDELETE","delete", match(lower(change_type)," FileDownload"), "download", match(lower(change_type), "FILECOPIED"),"create", match(lower(change_type)," FILEPREVIEW"),"preview", match(lower(change_type), "FILEEDIT"),"edit")
app	APP_NAME	servicename	(APP_NAME,'Box') (APP_NAME,' Office365') (APP_NAME,' Google Drive')	rename APP_NAME as app
dest_user	DEST_USER	destinationusername	(DEST_USER, 'Cronaldo')	rename DEST_USER as dest_user