Splunk® Common Information Model Add-on

Common Information Model Add-on Manual

Download manual as PDF

Download topic as PDF

Use the CIM to validate your data

The Common Information Model offers several built-in validation tools.

Use the datamodelsimple command

If you want to determine the available fields for a data model, you can run the custom command datamodelsimple. Use or automate this command to recursively retrieve available fields for a given dataset of a data model.

Note: A dataset is a component of a data model. In versions of the Splunk platform prior to version 6.5.0, these were referred to as data model objects.

The format expected by the command is shown below.

| datamodelsimple type=<models|objects|attributes> datamodel=<model name> object=<dataset name> nodename=<dataset lineage>

For full documentation on datamodelsimple usage, see searchbnf.conf in $SPLUNK_HOME/etc/apps/Splunk_SA_CIM/default.

Use the CIM Validation (S.o.S.) datamodel

Version 4.2.0 of the Common Information Model moves the CIM Validation datasets into their own data model. Previously, the validation datasets were located within each relevant model.

Access the CIM Validation (S.o.S.) model in Pivot. From there, you can select a top-level dataset, a Missing Extractions search, or an Untagged Events search for a particular category of data.

Top level datasets tell you what is feeding the model. Selecting a top-level dataset in Pivot is equivalent to searching for the constraints that define the top level of the data model, but Pivot allows you to validate that you are getting what you expect from the source types that you expect. For best results, split rows by source type and add a column to the table to show counts for how many events in that source type are missing extractions. If you see values in the missing extractions column, and the data model is accelerated, you can go to the Datamodel Audit Dashboard in Splunk Enterprise Security. See Datamodel Audit Dashboard for more information. Alternatively, you can access the appropriate Missing Extractions dataset in Pivot to drill further into the attributes.

Missing Extractions datasets run searches that return all missing field extractions that are expected in order to fully populate that dataset of the data model, provided that data exists with the appropriate tags for the dataset that you have selected. In other words, Splunk Enterprise finds tagged events for this dataset in this model, but there are field extractions for this event type that Splunk Enterprise expects, but which are not present. If you get results, split rows by source type to find which data source is contributing events for this model but is not fully mapping to the CIM.

Untagged Events runs a search for events that have a strong potential for CIM compliance but are not tagged with the appropriate tag or tags. For example, the Untagged Authentication search is:

(login OR "log in" OR authenticated) sourcetype!=stash NOT tag=authentication

For best results, split by source type. Click the results to drill into the untagged events.

PREVIOUS
Use the CIM to normalize data at search time
  NEXT
Use the CIM to create reports and dashboards

This documentation applies to the following versions of Splunk® Common Information Model Add-on: 4.2.0, 4.3.0, 4.3.1, 4.4.0, 4.5.0, 4.6.0, 4.7.0, 4.8.0, 4.9.0, 4.9.1, 4.10.0, 4.11.0, 4.12.0, 4.13.0, 4.14.0


Comments

Using splunk_datasets_addon, the procedure to "Use the CIM Validation (S.o.S.) datamodel" is somewhat different. From Search & Reporting, select Datasets. Select e.g. "CIM Validation (S.o.S.) > Untagged Events > Untagged Authentication". If there are any results, select "Visualize with Pivot" from the "Explore" drop-down menu. Click the count of untagged authentications to see the individual events as a Search.

DUThibault
November 29, 2017

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters