All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Best practice for using the Common Information Model?

rturk
Builder
‎07-06-2011 05:15 AM

Greetings Splunkers!

So I'm writing my first app for a Content Delivery Network platform and for ease of use I'm adopting the Common Information Model (as per HERE) in selecting the field names (as the vendor in question hasn't). I'm just wondering about how best to apply it?

As I see it, my options:

  1. Keep the vendor supplied field names and write CIM compliant field aliases where appropriate, or;
  2. Use my props.conf and transforms.conf and rewrite them on indexing, completely discarding the vendor supplied field names.
  3. Log a "feature request" with the vendor from San Fran*Cisco* to get their logfiles in line 😉

Option 1 will allow users who are familiar with the log formats to pick up the application quickly, and has the advantage of aligning with vendor published documentation.

Option 2 has the advantages of a clean interface & normalisation, but at the cost of losing alignment with published vendor documentation, and a learning curve for existing users. I'd also include a README or something like that indicating field mappings.

Option 3 has about as much chance as a snowball fight in hell of succeeding.

What has been the experience of application developers here? Which path have you gone down and why?

Mucho Gracias!

RT

Reply
1 Solution
Solved! Jump to solution
Solution

David
Splunk Employee
Splunk Employee
‎07-12-2011 03:39 PM

I have gone with Option 1, myself. The biggest problem with option 2 is that when users are looking at the raw event data (e.g., if they will ever have any sort of raw search capability), they will be totally lost when they try to do any field manipulations.

As it came about in my app, I have ridiculously unusable field names (very long to type). When I wrote my summary indexing, I shortened the names significantly (numberOfUnresolvedCountersInLastHour -> NumUnresolvedCounters). I then added aliases to for the raw data, so that users could search either by the field names they put in there, or by the names in my summary indexing.

A valid critique of this is that maintaining two sets of field names can confuse users no matter what -- if they build search terms on the long field names from the raw data, then try to apply that to the summary indexed data, they'll have problems lest I alias my summary data in the other direction, as well. In my particular scenario, using raw data is nigh suicidal for anyone not fully aware of the intricacies of Splunk, so it's a pretty minimal risk. Obviously, the only "real" solution is to alter the _raw field (impossible) or alter the source data.

My two cents.

View solution in original post

Reply
Solved! Jump to solution
Solution

David
Splunk Employee
Splunk Employee
‎07-12-2011 03:39 PM

I have gone with Option 1, myself. The biggest problem with option 2 is that when users are looking at the raw event data (e.g., if they will ever have any sort of raw search capability), they will be totally lost when they try to do any field manipulations.

As it came about in my app, I have ridiculously unusable field names (very long to type). When I wrote my summary indexing, I shortened the names significantly (numberOfUnresolvedCountersInLastHour -> NumUnresolvedCounters). I then added aliases to for the raw data, so that users could search either by the field names they put in there, or by the names in my summary indexing.

A valid critique of this is that maintaining two sets of field names can confuse users no matter what -- if they build search terms on the long field names from the raw data, then try to apply that to the summary indexed data, they'll have problems lest I alias my summary data in the other direction, as well. In my particular scenario, using raw data is nigh suicidal for anyone not fully aware of the intricacies of Splunk, so it's a pretty minimal risk. Obviously, the only "real" solution is to alter the _raw field (impossible) or alter the source data.

My two cents.

Reply
Get Updates on the Splunk Community!

Introducing Splunk Enterprise 9.2

WATCH HERE! Watch this Tech Talk to learn about the latest features and enhancements shipped in the new Splunk ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...