Module 13: Using the Common Information Model (CIM) Add-On

Question 1

What is the Common Information Model (CIM)?

Answer 1

The Splunk Common Information Model provides a methodology to normalize data

Question 2

When should leverage the Common Information Model (CIM)?

Answer 2

When creating field extractions, field aliases, event types, and tags to ensure:

• multiple apps can co-exist on a single Splunk deployment
• Object permissions can be set to global for the use of multiple apps
• Easier and more efficient correlation fo data from different sources and source types

Question 3

How set pre-configured data models are there in Splunk?

Answer 3

22:
Alerts
Application State
Authentication
Certificates
Change Analysis
CIM Validation (S.o.S)
Databases
Email
Interprocess Messaging
Intrusion Detection
Inventory
Java Virtual Machines (JVM)
Malware
Network Resolution (DNS)
Network Sessions
Network Traffic
Performance
Splunk Audit Logs
Ticket Management
Updates 
Vulnerabilities
Web

Question 4

Are the data models included in the CIM add-on are configured with data model acceleration turned off?

Answer 4

Yes they are

Question 5

How do you use the Common Information Model?

Answer 5

1. Examine your data
   - go to settings > data models
   - identify a data model relevant to your dataset
   (Best practice: Keep the CIM reference tables in Splunk docs page open in a separate tab)
2. Create event types & tags
   - identify the CIM datasets relevant to your events
   - observe which tags are required for that dataset or any parent datasets
   - apply those tags to your events using event types
3. Create field aliases
   - determine whether any existing fields in your data have different names than the names expected by the data models
   - define field aliases to capture the field with a different name in your original data and map it to the field name that the CIM expects
4. Add missing fields
   - create field extractions
   - write lookups to add fields and normalize field values
5. Validate against data model
   - use the datamodel command
   - use Pivot in Splunk Web

Question 6

What does the datamodel command allow you to do?

Answer 6

Allows user to examine data models and run the search for a datamodel object

Question 7

What kind of command is the datamodel command and how should you use it?

Answer 7

It is a generating command and should be the first command in the pipeline

Question 8

When using the datamodel command the object name and search keyword aren’t valid unless?

Answer 8

Preceded by the data model name. The command search cannot be substituted with a search string or name

Question 9

When using the datamodel command what components are case sensitive?

Answer 9

The data model name and the dataset name are both case sensitive

Question 10

What does the from command do?

Answer 10

Its retrieves data from a data model or named dataset and must be the first command in as search

Question 11

How is the from command different from the datamodel command?

Answer 11

• datamodel returns all fields prepended with data model name
• from datamodel returns specified fields only

Question 12

The from command can also?

Answer 12

Retrieve data from saved searches, reports, or lookup files