Splunk® Common Information Model Add-on

Common Information Model Add-on Manual

This documentation does not apply to the most recent version of Splunk® Common Information Model Add-on. For documentation on the most recent version, go to the latest release.

Match TA event types with CIM data models to accelerate searches

Splunk Enterprise Security uses the Common Information Model (CIM) add-on to accelerate searches by associating event types generated by Technology Add-ons with the data models.

Forwarders send events to the Splunk indexers. These events are stored in indexes. To identify the type of event, tags are assigned to the events based on certain field conditions. Events can be classified based on event type and associated with specific data models defined in the CIM app.

The CIM data models are implementations of schemas that represent the different types of events. Data model acceleration searches run on a schedule using knowledge objects and summarize the events. Searches built into the CIM data models use tags to search for the summarized events that match the data model. Index constraints in CIM data models determine which indexes might be included in a search.

These index constraints prevent the Splunk Platform from searching across all stored data and focus only on the relevant indexes. Thus, searches can be accelerated because the data is normalized through the connection established between the field tags, event types, and the CIM data models, which reduces the scope of the search.

Event types are a categorization system that help to make sense of the data. Event types are defined for a subset of events. For more information on event types, see About event types.

Use the following figure for an overview of how data is ingested into Splunk Enterprise Security and normalized using CIM data models:

Overview of getting data into Splunk Enterprise Security using CIM data models

The following example illustrates how event types are matched using data models and are used in correlation searches to accelerate searches and generate alerts. In this example, aws_cloudtrail_consolelogin-auth is a type of event ingested from Amazon Web Services (AWS) that feeds into Technology Add-ons (TA).

  1. TAs identify events that match the event type defined in the eventtypes.conffile.
  2. The following search in the eventtypes.conf file identifies the events that match the event type

    "aws_cloudtrail_consolelogin-auth" search = sourcetype="aws_cloudtrail" (eventname="ConsoleLogin" additions(EventData.LoginTo=*)

  3. Tags that are applicable to the event are defined in the tags.conf file. The tag defined for this event type in tags.conf file is: authentication. Tags can help to assign names to specific field and value combinations that reflect different aspects of their identity and enable you to perform tag-based searches to help you narrow the search results. For more information on tags, see Tags
  4. TA's assign the authentication tag to the event types. CIM's Authentication data model searches by the authentication tag.
  5. Dashboards and searches in Splunk Enterprise Security uses the Authentication data model to search the accelerated summaries of event data that describe login activities from any data source. For more information on the Authentication data model, see Authentication.
  6. Results from the searches are stored in a High Performance Analytics Store. Data model accelerations allow searches against a high volume of events and maintain performance levels.
  7. Data models are also used in correlation searches to search on accelerated data and generate alerts.

The following figure provides an overview of how TA event types are associated with CIM data models to accelerate searches in Splunk Enterprise Security.


Overview of the connection between TA events and the CIM data models

Last modified on 14 February, 2022
Use the CIM to normalize data at search time   Use the CIM to validate your data

This documentation applies to the following versions of Splunk® Common Information Model Add-on: 5.0.0


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters