Splunk® Common Information Model Add-on

Common Information Model Add-on Manual

This documentation does not apply to the most recent version of Splunk® Common Information Model Add-on. For documentation on the most recent version, go to the latest release.

What are data models?

The Common Information Model (CIM) is a set of field names and tags that are expected to define the lowest common denominator of a domain of interest in your data. In computer science terms, the CIM is the interface to which add-ons conform their data. Use the CIM to map a new data source to the proper interface, validate that the domain interface has the expected data, and start writing or using an app that expects that domain interface.

A data model defines the broad category of specific event data. It encodes the domain knowledge necessary to build a variety of specialized searches of those data sets. Data models and their objects are predefined or designed by the knowledge managers in your organization. They do a lot of the hard work for you by enabling you to quickly focus on a specific subset of event data.

Data models use these hierarchically arranged collections of data model objects to further subdivide the original data set and define the attributes on which you want Pivot to return results. Data models generate searches.

Data models define meaningful relationships in machine data, making the data in Splunk useful to broader base of users. Data models enable you to flexibly search and analyze highly diverse machine data, employing late-binding or search-time techniques for schema-creation ("schema-on-the-fly") to define relationships in the underlying data, while leaving the raw machine data intact.

For more information about data models and using Pivot to create reports, see "About Data Models" in the Knowledge Manager Manual, part of the core Splunk documentation.

Data models included with the Common Information Model add-on

These data models are included as JSON files in the Splunk_SA_CIM add-on.

Data model name File name
Alert Messages Alerts.json
Application State Application_State.json
Authentication Authentication.json
Change Analysis Change_Analysis.json
Compute Inventory Compute_Inventory.json
Intrusion Detection/Prevention Intrusion_Detection.json
Java Virtual Machines Jvm.json
Malware Malware.json
Network Sessions Network_Sessions.json
Network Traffic Network_Traffic.json
Performance Performance.json
Splunk Audit Logs Splunk_Audit.json
Updates Updates.json
Vulnerabilities Vulnerabilities.json
Web and Proxy Web.json

See "About data models" and "What is a data model?" in the core Splunk documentation for more information about data models.

Last modified on 30 June, 2014
Overview   Normalize data

This documentation applies to the following versions of Splunk® Common Information Model Add-on: 3.0, 3.0.1, 3.0.2


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters