Splunk® Common Information Model Add-on

Common Information Model Add-on Manual

Download manual as PDF

This documentation does not apply to the most recent version of CIM. Click here for the latest version.
Download topic as PDF

Overview of the Splunk Common Information Model

The Common Information Model (CIM) is set of 21 pre-configured data models that you can apply to your data at search time. Each data model in the CIM consists of a set of field names and tags that define the least common denominator of a domain of interest.

Why the CIM exists

The CIM allows you to normalize your data to match a common standard, using the same field names and event tags for equivalent events from different sources or vendors. The CIM acts as a search-time schema ("schema-on-the-fly") to allow you to define relationships in the event data while leaving the raw machine data intact.

Once you have normalized the data from multiple different source types, you can develop reports, correlation searches, and dashboards to present a unified view of a data domain. You can display your normalized data in the dashboards provided by other Splunk-developed applications such as the Splunk App for Enterprise Security and the Splunk App for PCI Compliance. The dashboards and other reporting tools in apps that support CIM compliance display only the data that is normalized to the tags and fields defined by the Common Information Model.

How to use this manual

This manual provides reference documentation for the fields and tags that make up each data model. Refer to the reference tables to determine what tags and fields are expected for each object in a data model as you work to normalize a new data source to the CIM.

This manual also provides a step-by-step guide for how to apply the CIM to your data at search time. This portion of the manual includes a walkthrough of the procedure you should follow to

What data models are included

The following data models are included in the Splunk Common Information Model Add-on. You can find the JSON implementations of the data models in $SPLUNK_HOME/etc/apps/Splunk_SA_CIM/default/data/models.

Data model name File name
Alerts Alerts.json
Application State Application_State.json
Authentication Authentication.json
Certificates Certificates.json
Change Analysis Change_Analysis.json
Databases Databases.json
Email Email.json
Interprocess Messaging Interprocess_Messaging.json
Intrusion Detection Intrusion_Detection.json
Inventory Compute_Inventory.json
Java Virtual Machines (JVM) JVM.json
Malware Malware.json
Network Resolution (DNS) Network_Resolution.json
Network Sessions Network_Sessions.json
Network Traffic Network_Traffic.json
Performance Performance.json
Splunk Audit Logs Splunk_Audit.json
Ticket Management Ticket_Management.json
Updates Updates.json
Vulnerabilities Vulnerabilities.json
Web Web.json

How the CIM compares to other standards

The Splunk Common Information Model is an independent standard, unaffiliated with the Distributed Management Task Force CIM.

The DMTF CIM is different from the Splunk CIM. The DMTF is more hierarchical, more complex, and more comprehensive. In the DMTF CIM, all models inherit from a single parent node, with child nodes for each model, then additional branching child nodes for sub-concepts. Thus, the DMTF's individual sub-nodes may be very complex with multiple branches in order to define most possible configurations.

In contrast, the Splunk CIM is relatively flat, simple, and flexible, because it defines only the least common denominator of concepts in a given domain rather than all possible concepts in the domain. The Splunk CIM defines fewer concepts in order to give the developer maximum flexibility.


This manual assumes you are familiar with the full data lifecycle in Splunk Enterprise. If you are not yet sure how to get your data in, see the Splunk Knowledge Manager Manual for more information on how to set up Splunk Enterprise to accept new data or to learn about "What Splunk can index" and the types of data Splunk Enterprise can index.

Get started

Install the Common Information Model Add-on to get started. Refer to the release notes and support and resource links if you encounter problems.

Install the Splunk Common Information Model Add-on

This documentation applies to the following versions of Splunk® Common Information Model Add-on: 4.1.0, 4.1.1

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters