Solved: Splunk Common Information Model (CIM): Applying mu...

jinloes · ‎11-30-2017

How can I handle the case where I want to apply multiple CIM models to my sourcetype but 2 CIMs have the same field but have different meaning (as in they would be evaled from different fields)?

woodcock · ‎11-30-2017

The basic principle is: do not modify the CIM so your options are limited; you can:

A: Use a similar field that is supported such as src_ip or src_name.
B: Duplicate the event and send the original with one field mapping to one data model and the duplicate with the other mapping to the other data model. Your options here are: B1: summary index or B2: CLONE_SOURCETYPE.

View solution in original post

woodcock · ‎11-30-2017

The basic principle is: do not modify the CIM so your options are limited; you can:

A: Use a similar field that is supported such as src_ip or src_name.
B: Duplicate the event and send the original with one field mapping to one data model and the duplicate with the other mapping to the other data model. Your options here are: B1: summary index or B2: CLONE_SOURCETYPE.

woodcock · ‎11-30-2017

I think you are toast but am curious about the particulars. What are the source/sourcetype of your event and what 2 datamodels and what field (I assume the field is action)?

jinloes · ‎11-30-2017

I'm trying to map one of our internal events to the Alert and Network Traffic CIM models because it contains information relevant to both models. I'm interested in the src field of both models but src means different things in both models so the source values needs to be different. Is there any way to handle that case?

Splunk Common Information Model (CIM): Applying multiple CIM models with overlapping fields

Introducing the Splunk Community Dashboard Challenge!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...