Map to data model
Version 2.2.0 and later of the Splunk Add-on Builder lets you map the fields from your data events to the fields in any data model, including CIM data models.
- If you want to map your data to a CIM data model, the Splunk Common Information Model add-on is required to use this feature. Download the Splunk Common Information Model add-on from Splunkbase and see Install the Splunk Common Information Model Add-on for details on how to install this add-on.
- If you want to map to your own data model, the model needs to support the standard defined under the Create a data model section.
Before you apply the data model mapping to your add-on, you must configure one or more source types for your add-on by creating a data input, by adding data from a sample file, or by adding indexed data from Splunk.
Configure the following,
In Map to data model, map the fields from your data to the fields in one of the predefined data models to normalize data at search time.
- On your add-on homepage, click Map to data model on the Add-on Builder navigation bar.
- On the Data Model Mapping page, click New Data Model Mapping.
- On the Data Model Mapping >> Define Event Type page, define an event type to generate events from which to extract fields:
- Enter a name for the event type.
- Select a source type from which to generate events.
- Enter a search to select events. By default, the search selects all events for the source type you selected, but you can apply additional search criteria as needed.
- Click Save.
- From the center panel, select one or more data models to use. Then you can also select individual datasets within a data model. Fields from your event type are displayed for reference, and fields from the selected data models are also displayed.
- When you have finished selecting data models, click Done.
- Select FIELDALIAS to map a field from the data model to a field from your event type.
- Select EVAL to map a field from the data model to an expression based on a field from your event type.
- To define a field alias, click one field name from the Data Model Fields list and one from the Event Type Fields list. ZDefine the field alias, then click OK at the end of the new row in the Data Model Mapping List.
- If you are defining an expression, click one field name from the Data Model Fields list and one or more fields from the Event Type Fields list. Edit the expression in the Event Type Field or Expression column, then click OK at the end of the new row in the Data Model Mapping List.
The Data Model Mapping page displays an entry for the mapping you just completed.
For more information, see the following Splunk Enterprise documentation:
Create alert actions
This documentation applies to the following versions of Splunk® Add-on Builder: 2.2.0, 3.0.0, 3.0.1