back to day 16
WEEK_3 · DAY_16 · LAB
Lab 16 — Validate CIM Compliance
How Splunk normalizes every log into 25 standard data models
LAB PROGRESS0/4 steps · 0%
Lab Objectives
- ›Understand why CIM exists
- ›Map a custom sourcetype to CIM
- ›Validate CIM compliance with the Add-on Builder
- ›Use tstats against accelerated CIM data models
Lab Instructions
- 1Open Splunk → Search.
- 2Run the Authentication DM validation query.
- 3Identify any sourcetype missing the action field.
- 4Write a fix: eventtype + tag in props.conf.
SPL for this Lab
Validate Authentication DM open in Splunk
| tstats count from datamodel=Authentication by Authentication.sourcetype, Authentication.action | rename "Authentication.*" as * | sort - count
// Lists every sourcetype contributing to the Authentication DM and whether action is mapped.