One way to test for a properly normalized data model is to run a | datamodel search against the data model or a dataset within the data model and compare the results to the CIM documentation for the datamodel. The CIM documentation provides the expected fields, tags, and constraints for each data model and dataset, as well as examples of normalized events. By running a | datamodel search, you can examine the JSON output of the data model or dataset and verify that it matches the CIM specifications. You can also use the search mode option of the | datamodel command to return either results or a search string that you can further inspect or modify. For more information, see datamodel - Splunk Documentation1 and Overview of the Splunk Common Information Model2. References = 1: datamodel - Splunk Documentation 2: Overview of the Splunk Common Information Model
Contribute your Thoughts:
Chosen Answer:
This is a voting comment (?). You can switch to a simple comment. It is better to Upvote an existing comment if you don't have anything to add.
Submit