dashboard
WEEK_3 · DAY_16 · 1 HOUR
CIM — Common Information Model
How Splunk normalizes every log into 25 standard data models
Learning Objectives
- ›Understand why CIM exists
- ›Map a custom sourcetype to CIM
- ›Validate CIM compliance with the Add-on Builder
- ›Use tstats against accelerated CIM data models
Module 1 — Why CIM?
Logs come in 1,000 formats. ES needs ONE format to write detections against.
CIM solves this by defining standard fields per category (Authentication, Network_Traffic, Endpoint, Web, Email…).
Module 2 — How CIM Works
Each Data Model has required and recommended fields. You map your sourcetype to them via field aliases, calculated fields, eventtypes, tags.
Splunk Common Information Model add-on (TA) ships acceleration & macros.
Module 3 — CIM Compliance Workflow
Use Splunk Add-on Builder or splunk-cim-validator.
Splunkbase TAs (Technology Add-ons) come pre-CIM-compliant for hundreds of vendors.
Module 4 — tstats on Accelerated DMs
Once accelerated, | tstats summariesonly=t count from datamodel=Authentication runs in seconds across TBs.
Foundation of every ES correlation search.
SPL Queries
Validate Authentication DM
| tstats count from datamodel=Authentication by Authentication.sourcetype, Authentication.action | rename "Authentication.*" as * | sort - count
// Lists every sourcetype contributing to the Authentication DM and whether action is mapped.
Lab 16 — Validate CIM Compliance
- Open Splunk → Search.
- Run the Authentication DM validation query.
- Identify any sourcetype missing the action field.
- Write a fix: eventtype + tag in props.conf.
Key Takeaways
- ✓CIM is the bridge from raw logs to ES detections
- ✓Use Splunkbase TAs whenever possible
- ✓tstats on accelerated DMs is the speed of ES