Overview of the Splunk Common Information Model
The Common Information Model (CIM) contains a collection of pre-configured data models that you can apply to your data at search time. Each data model in the CIM consists of a set of field names and tags that define the least common denominator of a domain of interest.
Why the CIM exists
The CIM helps you to normalize your data to match a common standard, using the same field names and event tags for equivalent events from different sources or vendors. The CIM acts as a search-time schema ("schema-on-the-fly") to allow you to define relationships in the event data while leaving the raw machine data intact.
After you have normalized the data from multiple different source types, you can develop reports, correlation searches, and dashboards to present a unified view of a data domain. You can display your normalized data in the dashboards provided by other Splunk applications such as Splunk Enterprise Security and the Splunk App for PCI Compliance. The dashboards and other reporting tools in apps that support CIM compliance display only the data that is normalized to the tags and fields defined by the Common Information Model.
The Splunk Common Information Model add-on is packaged with Splunk Enterprise Security and the Splunk App for PCI Compliance.
How to use this manual
This manual provides reference documentation for the fields and tags that make up each data model. Refer to the reference tables to determine what tags and fields are expected for each object in a data model as you work to normalize a new data source to the CIM.
This manual also provides a step-by-step guide for how to apply the CIM to your data at search time. This portion of the manual includes a walkthrough of the procedure you should follow to
What data models are included
The following data models are included in the Splunk Common Information Model Add-on. You can find the JSON implementations of the data models in
|Data model||File name|
|CIM Validation (S.o.S)||Splunk_CIM_Validation.json|
|Data Loss Prevention||DLP.json|
|Java Virtual Machines (JVM)||JVM.json|
|Network Resolution (DNS)||Network_Resolution.json|
|Splunk Audit Logs||Splunk_Audit.json|
How the Splunk CIM compares to the DMTF CIM
The Splunk Common Information Model is an independent standard, unaffiliated with the Distributed Management Task Force CIM.
The DMTF CIM is different from the Splunk CIM. The DMTF is more hierarchical, more complex, and more comprehensive than the Splunk CIM. In the DMTF CIM, all models inherit from a single parent node, with child nodes for each model, then additional branching child nodes for sub-concepts. Thus, the DMTF's individual sub-nodes can be very complex with multiple branches in order to define most possible configurations.
In contrast, the Splunk CIM is relatively flat, simple, and flexible, because it defines only the least common denominator of concepts in a given domain rather than all possible concepts in the domain. The Splunk CIM defines fewer concepts than the DMTF CIM in order to give the developer maximum flexibility.
This manual assumes you are familiar with the full data lifecycle in the Splunk platform. If you are not yet sure how to get your data in, see Getting Data In for more information on how to set up the Splunk platform to accept new data or to learn about the types of data the Splunk platform can index.
Install the Splunk Common Information Model Add-on
This documentation applies to the following versions of Splunk® Common Information Model Add-on: 4.5.0