What are data models?
The Common Information Model (CIM) is a set of field names and tags that are expected to define the lowest common denominator of a domain of interest in your data. In computer science terms, the CIM is the interface to which add-ons conform their data. Use the CIM to map a new data source to the proper interface, validate that the domain interface has the expected data, and start writing or using an app that expects that domain interface.
A data model defines the broad category of specific event data. It encodes the domain knowledge necessary to build a variety of specialized searches of those data sets. Data models and their objects are predefined or designed by the knowledge managers in your organization. They do a lot of the hard work for you by enabling you to quickly focus on a specific subset of event data.
Data models use these hierarchically arranged collections of data model objects to further subdivide the original data set and define the attributes on which you want Pivot to return results. Data models generate searches.
Data models define meaningful relationships in machine data, making the data in Splunk useful to broader base of users. Data models enable you to flexibly search and analyze highly diverse machine data, employing late-binding or search-time techniques for schema-creation ("schema-on-the-fly") to define relationships in the underlying data, while leaving the raw machine data intact.
For more information about data models and using Pivot to create reports, see "About Data Models" in the Knowledge Manager Manual, part of the core Splunk documentation.
Data models included with the Common Information Model add-on
These data models are included as JSON files in the Splunk_SA_CIM add-on.
Data model name | File name |
---|---|
Alert Messages | Alerts.json |
Application State | Application_State.json |
Authentication | Authentication.json |
Change Analysis | Change_Analysis.json |
Compute Inventory | Compute_Inventory.json |
Intrusion Detection/Prevention | Intrusion_Detection.json |
Java Virtual Machines | Jvm.json |
Malware | Malware.json |
Network Sessions | Network_Sessions.json |
Network Traffic | Network_Traffic.json |
Performance | Performance.json |
Splunk Audit Logs | Splunk_Audit.json |
Updates | Updates.json |
Vulnerabilities | Vulnerabilities.json |
Web and Proxy | Web.json |
See "About data models" and "What is a data model?" in the core Splunk documentation for more information about data models.
Overview | Normalize data |
This documentation applies to the following versions of Splunk® Common Information Model Add-on: 3.0, 3.0.1, 3.0.2
Feedback submitted, thanks!