Splunk® Add-on Builder

Splunk Add-on Builder User Guide

This documentation does not apply to the most recent version of Splunk® Add-on Builder. For documentation on the most recent version, go to the latest release.

Map to CIM

In Map to CIM, map the fields from your data to the fields in one of the predefined common information models (CIM) to normalize data at search time.

The Splunk Common Information Model add-on is required to use this feature.

Before you apply CIM mapping to your add-on, you must configure one or more source types for your add-on by creating a data input, by adding data from a sample file, or by adding indexed data from Splunk.

To map fields to the CIM

  1. On your add-on homepage, click Map to CIM on the Add-on Builder navigation bar.
  2. On the CIM Mapping page, click New CIM Mapping.
  3. On the CIM Mapping >> Define Event Type page, define an event type to generate events from which to extract fields:
    • Enter a name for the event type.
    • Select a source type from which to generate events.
    • Enter a search to select events. By default, the search selects all events for the source type you selected, but you can apply additional search criteria as needed.
    • Click Save.

      • AddonBuilder2.1 EventType.png

  4. On the CIM Mapping >> CIM Mapping Details page, click Select CIM Models.
  5. On the CIM Mapping >> Select CIM Models page, select the CIM fields to use for mapping:
    • From the center panel, select one or more CIM models to use. You can also select individual datasets within a CIM model. Fields from your event type are displayed for reference, and fields from the selected CIM models are also displayed.
    • When you have finished selecting CIM models, click Select.

      • AddonBuilder2.1 CIMModels.png

  6. On the CIM Mapping >> CIM Mapping Details page, click New Knowlege Object and select the type of mapping to create:
    • Select FIELDALIAS to map a field from the CIM model to a field from your event type.
    • Select EVAL to map a field from the CIM model to an expression based on a field from your event type.
  7. Define a field alias or expression in the new row that was added to the CIM Mapping List:
    • If you are defining a field alias, click one field name from the CIM Model Fields list and one from the Event Type Fields list, and then click OK at the end of the new row in the CIM Mapping List.
    • If you are defining an expression, click one field name from the CIM Model Fields list and one or more fields from the Event Type Fields list. Edit the expression in the Event Type Field or Expression column, then click OK at the end of the new row in the CIM Mapping List.

      • AddonBuilder2.1 CIMMapping.png

  8. Repeat steps 6-7 as needed.
  9. Click Done when you have finished CIM mapping.


The CIM Mapping page displays an entry for the mapping you just completed.

Learn more

For more information, see the following Splunk Enterprise documentation:

Last modified on 26 June, 2017
Extract fields   Create alert actions

This documentation applies to the following versions of Splunk® Add-on Builder: 2.1.0, 2.1.1, 2.1.2

Acrobat logo Download manual
Acrobat logo Download this page

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters