Splunk® Common Information Model Add-on

Common Information Model Add-on Manual

This documentation does not apply to the most recent version of Splunk® Common Information Model Add-on. For documentation on the most recent version, go to the latest release.

How do I know if I'm using CIM correctly?

This page is currently a work in progress. Any information presented here might be incomplete or incorrect, and frequent near-term updates are expected.

The Common Information Model describes what needs to be normalized in specific event data, and the data models implement that description. Data models help to enforce the CIM. If your data is not properly mapped with tags and fields, the data will not show up in reports or dashboards that you created using data models and pivot. In this way, data models can be used to verify that your data complies with the Common Information Model.

Verify your data

Install the Splunk_SA_CIM and create a new pivot from a data model that uses the new data type. If there is no data present in the pivot created from that data model, something is broken.

For example, select one of the Missing Extractions objects in the Compute Inventory data model and click Pivot to create a new pivot, searching for these missing extractions. If any extractions are found, it indicates that there is data that is not correctly mapped. If the pivot search returns zero, then there are no missing extractions and your data is mapped correctly for this object.

Last modified on 18 October, 2013
Extract fields and assign tags   How to get support and find out more about Splunk

This documentation applies to the following versions of Splunk® Common Information Model Add-on: 3.0, 3.0.1, 3.0.2


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters