How do I know if I'm using CIM correctly?
| This page is currently a work in progress. Any information presented here might be incomplete or incorrect, and frequent near-term updates are expected. |
The Common Information Model describes what needs to be normalized in specific event data, and the data models implement that description. Data models help to enforce the CIM. If your data is not properly mapped with tags and fields, the data will not show up in reports or dashboards that you created using data models and pivot. In this way, data models can be used to verify that your data complies with the Common Information Model.
Verify your data
Install the Splunk_SA_CIM and create a new pivot from a data model that uses the new data type. If there is no data present in the pivot created from that data model, something is broken.
For example, select one of the Missing Extractions objects in the Compute Inventory data model and click Pivot to create a new pivot, searching for these missing extractions. If any extractions are found, it indicates that there is data that is not correctly mapped. If the pivot search returns zero, then there are no missing extractions and your data is mapped correctly for this object.
| Extract fields and assign tags | How to get support and find out more about Splunk |
This documentation applies to the following versions of Splunk® Common Information Model Add-on: 3.0, 3.0.1, 3.0.2
Download manual
Feedback submitted, thanks!