Splunk® Common Information Model Add-on

Common Information Model Add-on Manual

Download manual as PDF

Download topic as PDF

Use the CIM to create reports and dashboards

If you are working with data that has already been normalized to the Common Information Model, you can use the CIM data models to generate visualizations, reports, and dashboards the same way you would use any other data model in the Splunk platform.

Your data is normalized if you or someone else in your organization have completed the normalizing steps described in Use the CIM to normalize data at search time, or you are using an add-on that normalizes data to the CIM data models.

Example: Create a report to analyze authorization events using CIM data models

For example, you want to create a report to monitor authorization events on your systems. Both the Authentication and Change data models contain authorization-relevant fields. You can create reports using search or using Pivot. This example uses Pivot.

Start by opening the Change data model in Pivot. You can open a data model in Pivot two different ways, depending on if you use the Splunk Datasets Add-on or not.

  • If you use Splunk Cloud or you have the Splunk Datasets Add-on, open a data model in Pivot with the following steps:
    1. In the Search and Reporting App, click Datasets.
    2. Locate the Change > All Changes > Account Management data model and datasets.
    3. Click > to review the fields available in the dataset of the data model.
    4. Click Explore > Visualize with Pivot to open Pivot to explore the data model and dataset.
  • If you do not have the Splunk Datasets Add-on, or do not use Splunk Cloud, you can open a data model in Pivot with the following steps:
    1. In the Search and Reporting App, click Pivot.
    2. Select the Change data model. Observe that it has a child dataset called Account Management.
    3. Click > next to the Account Management dataset and its child datasets to browse the available events and fields contained in the model.

Then, create a report in Pivot. This report uses the Account Management dataset of the Change data model.

For example, to see the number of account lockouts over the past hour, create a report as follows.

  1. In Pivot, select the Area Chart option.
  2. Set the time range to Last 60 minutes.
  3. If the dest_category field is in use, you can filter based on the destination category to review account lockouts only on specifically-categorized machines. Otherwise, leave the filter blank.
  4. Leave the X-axis as the default of time.
  5. Select a field of is_Account_Lockouts for the Y-axis.
  6. (Optional) Modify additional settings.
  7. Select Save As > Report to save the chart as a report.

After creating the report, you can add the report to a dashboard and adjust the permissions so that others can view it.

Resources for using Pivot with data models

To learn more about using Pivot with data models, use the following resources.

Use the Data Model Audit and Predictive Analytics dashboards

You can also use the dashboards included with the Common Information Model to monitor your data model accelerations and searches. The Common Information Model includes two dashboards:

  • The Data Model Audit dashboard helps you analyze the performance of your data model accelerations.
  • The Predictive Analytics dashboard helps you identify outliers in your data based on the predictive analysis functionality in the Splunk platform.

Access these dashboards by going to the Search and Reporting app. From there, click Dashboards to view your list of dashboards. When the Splunk Common Information Model Add-on is installed, these two dashboards appear in the list.

For more detail on the data model audit dashboard, see Check the status of data model accelerations in this manual. For more information on the Predictive Analytics dashboard, see Predictive Analytics dashboard in Use Splunk Enterprise Security. Splunk Enterprise Security is not required for these dashboards to work.

PREVIOUS
Use the CIM to validate your data
  NEXT
Use the CIM Filters to exclude data

This documentation applies to the following versions of Splunk® Common Information Model Add-on: 4.12.0, 4.13.0, 4.14.0


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters