In some cases, the expected values also include additional values that Splunk suggests as the normalized standards for a field. values that are used in the CIM model as constraints for a dataset (in the table as "Other").values that are used in knowledge objects in downstream applications such as Splunk Enterprise Security (in the table as "ES expects").All data models inherit the fields _time, host, source, and sourcetype, so those fields are always available to you for use in developing Pivot reports, searches, and dashboards.įor some fields, the tables include one or more expected values for that field. Those child datasets include only inherited fields from one or more of their parent datasets, so there are no unique extracted or calculated fields to display. The table does not repeat any fields that a child dataset inherits from a parent dataset, so refer to the parent dataset to see the description and expected values for that field.īecause the fields tables exclude inherited fields, many child datasets have no fields listed in the table at all. The table presents the fields in alphabetical order, starting with the fields for the root datasets in the model, then proceeding to any unique fields for child datasets. The fields tables list the extracted fields and calculated fields for the event and search datasets in the model and provide descriptions and expected values (if relevant) for these fields. Repeat for any additional relevant CIM datasets.įor a detailed walkthrough of these steps, see Use the CIM to normalize data at search time.Apply those tags and other constraints to your events using event types.Observe any other constraints relevant to the dataset or its parents.Observe which tags are required for any parent datasets.Observe which tags are required for that dataset.
Identify the dataset within that model that is relevant to your events.Identify the CIM data model relevant to your events.Refer to the data model itself using its editor view in Splunk Web for required fields, field=value combinations, or base searches that the model depends on.Īpply tags to your events to ensure your data is populated in the correct dashboards, searches, and Pivot reports. There might be additional constraints outside the scope of these tables. These tags act as constraints to identify your events as relevant to this data model, so that this data is included in Pivot reports, searches, and dashboards based on this model. The tags tables communicate which tags you must apply to your events in order to make them CIM-compliant. In versions of the Splunk platform prior to version 6.5.0, these were referred to as data model objects.
Splunk sa cim how to#
How to use the CIM data model reference tablesĮach topic in this section contains a use case for the data model, a breakdown of the required tags for the event datasets or search datasets in that model, and a listing of all extracted and calculated fields included in the model.Ī dataset is a component of a data model.
0 kommentar(er)
