My team is always complainin that splunk is not cim compliance. Most of data sources in splunk such as symantec endpoint and bluecoat logs are not completely cim compliance. They are 80% cim compliance. My question is can splunk ever be 100%cim compliance or am I trying to do something that cant be achieved.
I'm one of the founders of Enterprise Security (which was a big driver in the CIM, which I also helped develop) and I completely agree that CIM compliance in the way that your coworkers are describing is flawed.
Here are some observations:
I'm one of the founders of Enterprise Security (which was a big driver in the CIM, which I also helped develop) and I completely agree that CIM compliance in the way that your coworkers are describing is flawed.
Here are some observations:
Hi Luke,
Thanks for answering the question. Hope this would explain the team to drive the percentage of CIM Compliance with use cases.
Thank You,
Ujuka
I doubt you will ever see 100% CIM compliance. That would require every event to contain every CIM field for a given datamodel and that just doesn't happen, IME. I'm not saying it isn't possible, but it's probably impractical. I'd be very happy with 80% compliance, TBH.