All,
Can someone talk to me about how Splunk want's the term "severity" used?
Should I be logging out my errors using Splunk's CIM value severity from my app for the best compatibility with Splunk ES/PCI/ITS? Or, should I be using my own and severity is generated in those Apps on their own?
thanks,
Keeping a standard format is the whole point of CIM, so using CIM normalized fields is the way to go, especially if you are using ES / PCI / ITSI. If you map your own severity based on the CIM model, then you dont have to do any Splunk-side mapping to CIM. However, not all server side apps follow the CIM-normalized severity levels. So it depends on your APP and your familiarity with Splunk as to where you want to do this normalization.
For me personally, I try to do this before data gets into Splunk, and then you can alias the field to severity (or leave it as is.)
Of course, the normalization is just a lookup that can be reused across source types... So you can make this and reuse this as needed without a lot of effort...
Keeping a standard format is the whole point of CIM, so using CIM normalized fields is the way to go, especially if you are using ES / PCI / ITSI. If you map your own severity based on the CIM model, then you dont have to do any Splunk-side mapping to CIM. However, not all server side apps follow the CIM-normalized severity levels. So it depends on your APP and your familiarity with Splunk as to where you want to do this normalization.
For me personally, I try to do this before data gets into Splunk, and then you can alias the field to severity (or leave it as is.)
Of course, the normalization is just a lookup that can be reused across source types... So you can make this and reuse this as needed without a lot of effort...