You can display your normalized data in the dashboards provided by other Splunk applications such as Splunk Enterprise Security and the Splunk App for PCI Compliance. The CIM acts as a search-time schema ("schema-on-the-fly") to allow you to define relationships in the event data while leaving the raw machine data intact.Īfter you have normalized the data from multiple different source types, you can develop reports, correlation searches, and dashboards to present a unified view of a data domain. The CIM helps you to normalize your data to match a common standard, using the same field names and event tags for equivalent events from different sources or vendors. See Approaches to using the CIM for more information about the tools available in the CIM add-on. These tools include a custom command for CIM validation and a common action model, which is the common information model for custom alert actions. The add-on also contains several tools that are intended to make analysis, validation, and alerting easier and more consistent. You can use these data models to normalize and validate data at search time, accelerate key data in searches and dashboards, or create new reports and visualizations with Pivot. Each data model in the CIM consists of a set of field names and tags that define the least common denominator of a domain of interest. The CIM add-on contains a collection of preconfigured data models that you can apply to your data at search time. The CIM is implemented as an add-on that contains a collection of data models, documentation, and tools that support the consistent, normalized treatment of data for maximum efficiency at search time. The Splunk Common Information Model (CIM) is a shared semantic model focused on extracting value from data. Overview of the Splunk Common Information Model
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |