Splunk® Common Information Model Add-on

Common Information Model Add-on Manual

Use the CIM to normalize CPU performance metrics

This example illustrates how to normalize data for CIM-compliance for an IT Service Intelligence use case. This example provides two variations: one using Splunk Web, and another using configuration files from the command line.

Normalize data for CIM-compliance using Splunk Web

Step 1. Get your data in

For the purposes of this example, assume that you have already added data to your Splunk platform deployment. For instructions on adding data, see Getting Data In.

Step 2. Examine your data in context of the CIM

Make sure that the data that you want to extract has a dataset specified in the CIM. For example, if you want to build a KPI search based on a specific CPU performance metric, such as cpu_load_percent, review the Performance data model to make sure that the data model lists CPU as a dataset.

If the CIM does not contain the specific data that you want to extract for your KPI searches, you can use a Splunk add-on or apply the Common Information Model to your own data. See Design data models in the Splunk Enterprise Knowledge Manager Manual.

Step 3. Configure CIM-compliant event types

  1. From Splunk Web, select Settings > Data Models.
  2. Find the data model dataset that you want to map your data to, then identify its associated tags.
    For example, the CPU dataset in the Performance data model has the following tags associated with it:
    tag = performance
    tag = cpu
  3. Create an event type.
    1. Select Settings > Event types.
    2. Click New.
    3. In the Add new dialog, type the following values for the following fields.
      Destination App: ITSI
      Name: Type the name of the event type. For example, cpu_metrics.
      Search String: Type a search string for the event type. For example, sourcetype=test_cpu_log.
      Tag(s): Type the tags associated with the data model dataset you are mapping to. For example, performance, cpu.
      Color Select a color for the event type. Priority determines which event type color displays for an event. For more information, see About event type priorities.
      Priority Select a priority from 1 to 10, with 1 being the highest and 10 being the lowest. For more information, see About event type priorities.
  4. Click Save.

For more information, see Configure event types in Splunk Web in the Splunk Enterprise Knowledge Manager Manual.

Step 4. Verify your tags

See Use the CIM to normalize data at search time for details.

Step 5. Make fields CIM-compliant

Create field aliases to make fields CIM-compliant.

Note: Field aliases do not support multi-value fields. For more information, see Create aliases for fields.

  1. From Splunk Web, select Settings > Fields > Field Aliases.
  2. Click New.
  3. In the Add New window, type the following:
    1. For Destination App:, select ITSI.
    2. For Name:, type a name for your field alias.
    3. For Apply to:, select Sourcetype.
    4. For named:, type the name of the source type. For example, test_cpu_log.
  4. Restart the Splunk platform for your changes to take effect.
  5. Create search-time field extractions.
    If your event data contains fields that are not found in existing data models or search-time field extractions, you can add those fields using the Field Extractions page in Splunk Web. See Use the Field extractions page in the Knowledge Manager Manual.
  6. Write lookups to add fields and normalize field values.
  7. Verify fields and values.

Step 6. Validate normalized data against the data model

Now that you have mapped your data to the CIM, you can validate that your data is CIM-compliant. See 6. Validate your data against the data model.

Normalize data for CIM-compliance using configuration files

This section demonstrates how to normalize data for CIM-compliance at search-time using Splunk configuration files.

Step 1. Get your data in

For the purposes of this example, assume that you have already added data to your Splunk platform deployment. For instructions on adding data, see Getting Data In.

Step 2. Examine your data in context of the CIM

Make sure that the data that you want to extract has a dataset specified in the CIM. For example, if you want to build a KPI search based on a specific CPU performance metric, such as cpu_load_percent, review the Performance data model to make sure that the data model lists CPU as a dataset.

If the CIM does not contain the specific data that you want to extract for your KPI searches, you can use a Splunk add-on or apply the Common Information Model to your own data. See Design data models in the Splunk Enterprise Knowledge Manager Manual.

Step 3. Configure CIM-compliant event tags

  1. Determine which tags are associated with the data model dataset. In Splunk Web, select Settings > Data Models.
  2. Find the data model dataset that you want to map your data to, then identify its associated tags.
    For example, the cpu_load_percent attribute in the CPU dataset in the Performance data model has the following tags associated with it:
    tag = performance
    tag = cpu
  3. On the search head, edit or create an $SPLUNK_HOME/etc/apps/$APPNAME$/local/eventtypes.conf file, then manually add the event type.
    For example:
    [cpu_metrics]
    search = sourcetype=test_cpu_log
    
  4. On the search head, edit or create a $SPLUNK_HOME/etc/apps/$APPNAME$/local/tags.conf file, then manually add the appropriate tags for the data model dataset. For example:
    [eventtype=cpu_metrics]
    performance = enabled
    cpu = enabled
    
  5. Restart the Splunk platform.

For more information, see Configure event types in eventtypes.conf.


Step 4. Verify your tags

See Use the CIM to normalize data at search time.

Step 5. Make fields CIM-compliant

Create field aliases to make fields CIM-compliant, then add search-time field extractions for additional fields as needed.

  1. Create field aliases in props.conf. You can create multiple field aliases in a single stanza. Create your field alias by adding the following line to a stanza in the $SPLUNK_HOME/etc/apps/$APPNAME$/local/props.conf file.
    FIELDALIAS-<class> = <orig_field_name> AS <new_field_name>
    For example:
    [test_cpu_log]
    FIELDALIAS-cpu_percent = cpu_percent AS cpu_load_percent
    
  2. Restart the Splunk platform for your changes to take effect.
  3. Create basic search-time field extractions in props.conf by adding an EXTRACT stanza to $SPLUNK_HOME/etc/apps/$APPNAME$/local/props.conf:
    EXTRACT-<class> = [<regular_expression>|<regular_expression> in <source_field>]

For more information about field aliases, see Create aliases for fields in the Knowledge Manager Manual.

For more information about search-time field extractions, see Create basic search-time field extractions with props.conf edits.

Step 6. Validate normalized data against the data model

Now that you have mapped your data to the CIM, you can validate that your data is CIM-compliant. See 6. Validate your data against the data model.

Last modified on 30 May, 2023
Use the CIM to normalize OSSEC data   Authentication Field Mapping

This documentation applies to the following versions of Splunk® Common Information Model Add-on: 5.0.1, 5.0.2, 5.1.0, 5.1.1, 5.1.2, 5.2.0, 5.3.1, 5.3.2, 6.0.0, 6.0.1


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters