![]() ![]() Some events may be logs tracking create, read, update, delete (CRUD) changes to a system, others may log the login/logout activities for that system. You might need to normalize data from a single event or source of events against more than one data model. Use the CIM reference tables to find fields that are relevant to your domain and your data. Examine your data in the context of the CIMĭetermine which data models are relevant for the data source you are working with. See Getting Data In if you need more direction for capturing and indexing your data.Ģ. You normalize your data to be CIM compliant at search time. If you have not already done so, get your data in to the Splunk platform.ĭo not be concerned about making your data conform to the CIM in the parsing or indexing phase. Check Splunkbase for CIM-compatible apps and add-ons that match your requirements. To see these steps applied in a real use case, see Use the CIM to normalize CPU performance metrics.īefore you start, keep in mind that someone else may have already built an add-on to normalize the data you have in mind. ![]() This topic guides you through the steps to normalize your data to the Common Information Model, following established best practices. ![]() Your goal might be to create a new application or add-on specific to this data source for use with Splunk Enterprise Security or other existing applications, or you might just want to normalize the data for your own dashboards. If you are working with a new data source, you can manipulate your already-indexed data at search time so that it conforms to the common standard used by other Splunk applications and their dashboards. Use the CIM to normalize data at search time ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |