Splunk® Common Information Model Add-on

Common Information Model Add-on Manual

This documentation does not apply to the most recent version of Splunk® Common Information Model Add-on. For documentation on the most recent version, go to the latest release.

Use the CIM to create reports and dashboards

If you are working with data that has already been normalized to the Common Information Model (either you or someone else in your organization have already completed the normalizing steps described in "Use the CIM to normalize data at search time", or you are using an add-on that takes care of the CIM compliance) you can use the CIM data models to generate visualizations, reports, and dashboards, the same way you would use any other data model in the Splunk platform.

Example: Analyzing Authorization events using CIM data models

For example, you want to build a dashboard to monitor authorization events on your systems.

1. In the Search and Reporting App, click Pivot.

2. Select the Change Analysis data model. Observe that it has a child object called Account Management.

3. Click > next to the Account Management object and its sub-objects to browse the available events and fields contained in the model.

4. Decide on a useful metric to display, then use Pivot to generate the relevant search. Need more guidance? See the Resources for using Pivot, below.

5. When you are satisfied with the results, save your search as a report.

6. Repeat as needed until you have saved several reports tracking metrics of interest.

7. Switch to the Authentication data model and browse the available events and fields contained in this model for additional relevant metrics.

8. Click into the objects or attributes and develop searches using Pivot, saving your results as reports.

9. Create a new dashboard and add your saved reports to it.

Resources for using Pivot

For more information about data models and using Pivot to create reports, see "About Data Models" in the Knowledge Manager Manual, part of the Splunk Enterprise documentation.

For a full guide to using Pivot, see the Pivot Manual in the Splunk Enterprise documentation.

Use the Data Model Audit and Predictive Analytics dashboards

You can also use the dashboards included with the Common Information Model to monitor your data model accelerations and searches. The Common Information Model includes two preconfigured dashboards:

  • The Data Model Audit dashboard helps you analyze the performance of your data model accelerations.
  • The Predictive Analytics dashboard helps you identify outliers in your data based on the predictive analysis functionality in the Splunk platform.

Access these dashboards by going to the Search and Reporting app. From there, click Dashboards to view your list of dashboards. When the Splunk Common Information Model Add-on is installed, these two dashboards appear in the list.

Further documentation about these dashboards is available in the Splunk Enterprise Security documentation at the links below.

Splunk Enterprise Security is not required for these dashboards to work.

Last modified on 12 February, 2019
Use the CIM to validate your data   Accelerate CIM data models

This documentation applies to the following versions of Splunk® Common Information Model Add-on: 4.1.0, 4.1.1, 4.2.0, 4.3.0, 4.3.1, 4.4.0


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters