The Knowledge Vault • Room 2

Data Models & CIM

Data models are hierarchical structures that describe datasets. They organize fields into object hierarchies that Pivot (a drag-and-drop visualization tool) can use.

The Common Information Model (CIM) is a set of standardized data models provided by Splunk. CIM ensures that data from different sources uses consistent field names (e.g., "src_ip" for source IP across all security data).

CIM normalization is critical for apps like Splunk Enterprise Security (ES), which rely on consistent field names across all data sources.

The Splunk CIM Add-on provides pre-built data models. Install it and map your sourcetypes to CIM-compliant field names.

Knowledge Check

Prove your understanding to clear the room (Rewards XP)

❤️❤️❤️

Question 1 of 2

What is the purpose of CIM?

ACompress data for storage

BStandardize field names across data sources

CEncrypt sensitive fields

DSchedule data deletion