Reporting

How do we map same field from CIM Mapping from different model?

raj_prince
Explorer

How do we map same field from CIM Mapping from different model?
-- Example.. from same sourcetype data is coming
field1 -- Map to Inventory model 'dest' field
field2-- Map to Alert model 'dest' field

Labels (1)
0 Karma
1 Solution

gaurav_maniar
Builder

Hi Raj,

I'm not sure, if I understood your question correctly, you want use different fields from same sourcetype as dest field in CIM and other datamodel.

The easiest way to achieve this defining these fields as eval expression in both datamodel.
Check the attached screenshot.

accept & up-vote the answer if it helped.
alt text

View solution in original post

0 Karma

woodcock
Esteemed Legend

You are misunderstanding. Just make sure that whatever is creating dest is promoted to Global level for permissions. Then all Data Model Accelerations will see it regardless of the Data Model.

0 Karma

gaurav_maniar
Builder

Hi Raj,

I'm not sure, if I understood your question correctly, you want use different fields from same sourcetype as dest field in CIM and other datamodel.

The easiest way to achieve this defining these fields as eval expression in both datamodel.
Check the attached screenshot.

accept & up-vote the answer if it helped.
alt text

0 Karma

richgalloway
SplunkTrust
SplunkTrust

I argue against modifying data models. Sometimes, it's necessary, but often not. All that is needed here is one or more fieldalias definitions to create the 'dest' field.

Modified data models will override any updates from Splunk so you may miss out on important changes.

---
If this reply helps you, Karma would be appreciated.

woodcock
Esteemed Legend

I agree; unless it is a data model that you created, I would avoid changing it unless absolutely necessary. In this case, it is definitely NOT absolutely necessary.

0 Karma

raj_prince
Explorer

Hello Gaurav,

Thank You its working.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

It's just a field. Once you have the mapping from the source field to 'dest' it will work in all data models.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...