Simplify Your Data with Splunk CIM

The Cure for the Common Empty Dashboard

In previous blogs “Dude, Where’s My Data” (Part One and Part Two), we focused on the essential steps of onboarding your data into Splunk. Let’s make that data functional in your dashboards. Let’s say those guidelines didn’t make all your dashboards from the APPs you installed show your data properly.  Or sometimes the data doesn’t show up at all?

It is not you. It’s not the app. It’s not the data… but the cause may be related to Common Information Model (CIM) compliance.

A Rose by any Other Name Still Smells as Sweet

Shakespeare wrote that line in “Romeo and Juliet.” It is still true today, but in the world of expanding data, it is not quite as simple. The Common Information Model is the way Splunk identifies all the roses in the data, called by different names, to be recognized a rose. Different roses have different scientific names but are designated by their genus and species. In the same way, Splunk uses the CIM to identify different names for the same data. This helps Splunk to find and correlate different names for the same data.

CIM-plify Your Searches

The CIM data model is a way for Splunk to normalize your data to identify common data types into a simplified data model. For example, imagine you are standing in the check-out line at the grocery store. You hear terms like “Climbing Pinky” and “Knock-Out” and “English Tea.” What are these people talking about? The answer is roses.

The same principle is in effect in the CIM. It allows the Splunk end-users and APPs to search common fields across many source types. Instead of different names for roses, for example, fields and sourcetypes may have “user_ID” or “username” or “Login_ID” to identify an entity using a particular system, the “user.” The CIM takes common names for the same data, puts it into the model to normalize different names for the same function or entity across all Splunk data. Using CIM is a way of normalizing data for maximum efficiency at search time.

CIM Data Models

Much of the work behind normalizing data is already done for you. The CIM has a library of models that already have common data types normalized.  Most APPs come CIM ready and take advantage of these models in their dashboards and searches. Here is a list of data models already in Splunk:

Figure 1 - Data Models in Splunk

Figure 1 – Data Models in Splunk

The CIM is not restricted to just what is in the listed models. You can add new fields to the model as needed. For example, a new user field might be “system_user” which could be added under “user” in the model. The process is as follows:

  • Extract data fields – find the field of data you want to add to the data model
  • Normalize – add the data to the CIM in the appropriate model.
  • Tag – add a tag to that field and data so that it can be found across all searches

Making Data CIM Compliant

Making data CIM compliant is easier than you might think.  Ensure yours has a proper sourcetype. The next step is to extract your fields from your data.  Once you have extracted your fields and identified your fields, it is time to create an alias in the CIM.

Here is an example of creating an alias:

username AS user

The term “username” will return in Splunk searches for “user.” With all the terms for “user” in CIM, a single search for “user” will return all terms for user such as “userID,” “system_user,” “username,” etc., as long as they are in the CIM. Otherwise, a search might have to look something like this:

Index = network “user” OR userID” OR“system_user” OR “username”

The CIM normalizes these terms so that all items in the network index that have an identifier for the entity that uses the system and can be returned with just the term “user.”

Figure 2 - Fields of Authentication event datasets

Figure 2 – Fields of Authentication event datasets

The CIM model can also be used to capture calculated fields or actions.  In this example, an action has several possible outcomes.  By using a calculated field entry into the CIM, a search for “action” can return multiple results of the action.  Take a look at this example:

action=if(action="OK","success","failure")

In this way, the CIM can capture calculated results within a field with just the term “action” without specifying “OK,” “success,” and “failure.”

Figure 3 - Tags used with Authentication event datasets

Figure 3 – Tags used with Authentication event datasets

Lastly, tag your data fields to match them up with a data set within the CIM.

Need Help Simplifying Your Data?

Kinney Group can help jump start your dashboards by helping you make your data CIM compliant. Our team has the real-world experience of matching your data types, extracting fields, and putting it into the CIM so that your data can work for you instead of you working your data to get the critical results you need.

Author

Start typing and press Enter to search