Overview of the Splunk Common Information Model

The Common Information Model (CIM) is set of 21 pre-configured data models that you can apply to your data at search time. Each data model in the CIM consists of a set of field names and tags that define the least common denominator of a domain of interest.

Why the CIM exists

The CIM allows you to normalize your data to match a common standard, using the same field names and event tags for equivalent events from different sources or vendors. The CIM acts as a search-time schema ("schema-on-the-fly") to allow you to define relationships in the event data while leaving the raw machine data intact.

Once you have normalized the data from multiple different source types, you can develop reports, correlation searches, and dashboards to present a unified view of a data domain. You can display your normalized data in the dashboards provided by other Splunk-developed applications such as the Splunk App for Enterprise Security and the Splunk App for PCI Compliance. The dashboards and other reporting tools in apps that support CIM compliance display only the data that is normalized to the tags and fields defined by the Common Information Model.

How to use this manual

This manual provides reference documentation for the fields and tags that make up each data model. Refer to the reference tables to determine what tags and fields are expected for each object in a data model as you work to normalize a new data source to the CIM.

This manual also provides a step-by-step guide for how to apply the CIM to your data at search time. This portion of the manual includes a walkthrough of the procedure you should follow to

• normalize data to the CIM
• create reports and dashboards with CIM-compliant data

What data models are included

The following data models are included in the Splunk Common Information Model Add-on. You can find the JSON implementations of the data models in $SPLUNK_HOME/etc/apps/Splunk_SA_CIM/default/data/models.

How the CIM compares to other standards

The Splunk Common Information Model is an independent standard, unaffiliated with the Distributed Management Task Force CIM.

The DMTF CIM is different from the Splunk CIM. The DMTF is more hierarchical, more complex, and more comprehensive. In the DMTF CIM, all models inherit from a single parent node, with child nodes for each model, then additional branching child nodes for sub-concepts. Thus, the DMTF's individual sub-nodes may be very complex with multiple branches in order to define most possible configurations.

In contrast, the Splunk CIM is relatively flat, simple, and flexible, because it defines only the least common denominator of concepts in a given domain rather than all possible concepts in the domain. The Splunk CIM defines fewer concepts in order to give the developer maximum flexibility.

Prerequisites

This manual assumes you are familiar with the full data lifecycle in Splunk Enterprise. If you are not yet sure how to get your data in, see the Splunk Knowledge Manager Manual for more information on how to set up Splunk Enterprise to accept new data or to learn about "What Splunk can index" and the types of data Splunk Enterprise can index.

Get started

Install the Common Information Model Add-on to get started. Refer to the release notes and support and resource links if you encounter problems.