The Great Standard • Room 3

CIM Data Models

The Splunk CIM Add-on provides dozens of pre-built Data Models (e.g., Network Traffic, Authentication, Malware).

These models are structured hierarchically. Using `tstats`, we can query these accelerated models natively.

Natively Querying CIM

| tstats count from datamodel=Authentication where Authentication.action="success" by _time span=1h

Knowledge Check

Prove your understanding to clear the room (Rewards XP)

Write a tstats search to count the number of events in the "Network_Traffic" CIM Datamodel where the action is "blocked".

Splunk Search Bar