Search This Blog

Tuesday, March 12, 2024

04_PS_Splunk 9_Employing the Splunk Common Information Model (CIM)

 Contents

1 Course Overview 1

2 Getting Familiar with the Splunk Common Information Model 2

2.1 Getting Familiar with the Splunk Common Information Model 2

2.2 Examining a Few of the CIM Data Models 4

2.3 Splunk Knowledge Objects 4

2.4 Knowledge Objects Included in the CIM 10

2.5 Demo: Splunk CIM 12

3 Configuring the Common Information Model Add-on 13

3.1 Configuring and Employing the Common Information Model Add-on 13

3.2 Introducing Our Use Case 17

3.3 *Demo: Making Data CIM Compliant in Splunk 17


  1. Course Overview

A black text on a white background Description automatically generated


A black background with white text Description automatically generated

  1. Getting Familiar with the Splunk Common Information Model

    1. Getting Familiar with the Splunk Common Information Model

A white background with orange text Description automatically generated


A white text with red text Description automatically generated


A diagram of a diagram Description automatically generated


A blue background with white text Description automatically generated



  1. Examining a Few of the CIM Data Models

https://docs.splunk.com/Documentation/CIM/5.3.1/User/Overview

Data Modal contains 1 or more Data sets


  1. Splunk Knowledge Objects

A group of colorful rectangular boxes with text Description automatically generated


A blue circle with white text Description automatically generated


A screenshot of a computer Description automatically generated


A screen shot of a computer Description automatically generated

A close-up of a tag Description automatically generated


A screenshot of a event type Description automatically generated



A diagram of a diagram of a transaction Description automatically generated


A close-up of a diagram Description automatically generated

A screenshot of a computer Description automatically generated

A close-up of a tag Description automatically generated


A diagram of a field Description automatically generated



A data model with many colors Description automatically generated with medium confidence













  1. Knowledge Objects Included in the CIM

A screenshot of a computer Description automatically generated


A white background with red text Description automatically generated


A diagram of process for tags Description automatically generated


A white background with red text Description automatically generated


A diagram of a diagram Description automatically generated


A close-up of a computer Description automatically generated


A computer screen with text and images Description automatically generated with medium confidence




  1. Demo: Splunk CIM

Blue text on a white background Description automatically generated



Summary

A white background with orange text Description automatically generated


  1. Configuring the Common Information Model Add-on


  1. Configuring and Employing the Common Information Model Add-on

A white background with orange text Description automatically generated


A screenshot of a white background Description automatically generated


A white background with orange text Description automatically generated


A screenshot of a computer Description automatically generated


A diagram of data visualization Description automatically generated with medium confidence


A white background with red text Description automatically generated



A white background with red text Description automatically generated



  1. Introducing Our Use Case

A screenshot of a computer Description automatically generated

  1. *Demo: Making Data CIM Compliant in Splunk

One more time watch

A white text on a black background Description automatically generated


Uploaded system1, 2, 3 csv files with same index = main

Go to the CIM documentation – found web datamadal is suitable for this use case

Settings – Data modal – search Web – it is available (as already we installed CIM)


 A screenshot of a computer Description automatically generated


Apps – Manage Apps – filter cof CIM – Choose Splunk Common Information Model – Set up – 

A screenshot of a computer Description automatically generated

Find the web data model – 

A screenshot of a computer Description automatically generated

Accelerate checked

Indexes whitelist  = main


Set up Event Types: Settings – Event Types -  Create New Event Types - 

A screenshot of a computer Description automatically generated


Go To CIM – Change Permission from Private to global

Go to Settings – Data Model > Web Data Model – Click Pivot

A screenshot of a computer Description automatically generated


A screenshot of a computer Description automatically generated

Click web dataset – 


Go to settings – Fields – Field aliases – New Field Alieses 

A screenshot of a computer Description automatically generated


Go to settings – Fields – Field Aliases – we can see the newly added field aliases

File 3 is not name=value – so need to do Field extract from the file

Go to search – search host=”system3” – go to Extract New Fields – Select Method > choose Regex – highlight the value and give the Field Name – 


Now – go to settings – Data Model – Web – Pivot – now we get fields

A screenshot of a computer Description automatically generated


A screenshot of a computer Description automatically generated




2 single value 

Create panels and Save to Dashboard

A white background with black text Description automatically generated
at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)