Use the Common Information Model

There are two ways to use the Common Information Model: mapping data to the model, and extracting information from the model.

Mapping data to the model

To map data to the model, a user must extract fields and apply tags to match the data model as defined in the CIM app. This process can be done manually through the user interface, or directly by configuring a set of files in an add-on. The resulting add-on is called a Technology Add-on, and can be used to provide a mapping of the source data to the data model wherever this mapping is useful. For more on the process of mapping data to models, see "Extract fields and assign tags". Advanced users may also want to read Data Source Integration Manual.

Extracting information from the model

To extract information from the data model, you can use a pivot table or a search command to produce a report. In many cases the report will already have been created, and you only need to understand how it works.

A data model contains information about a domain of knowledge (data). A pivot that uses that data model creates a search based on an object contained in that data model. The data returned from that search can be saved as a search, a dashboard, or a report.

From an application, a dashboard calls a saved search to gather data to populate a view. The search might use search macros; the searches and/or macros rely on data models that use tags and field names. The tags are set by matching event types, the field names are aliased or extracted from the raw data at search time.

If you are processing data of a particular type (using a data model), see the tag and field information for that data model in the Data models section of this manual. The tags and fields need to be mapped and extracted for that data model are listed.

For more information about data models and pivot, see "About data models" and "Introduction to Pivot" in the core Splunk documentation.