TIPS & TRICKS

Simplifying IT Operations data analytics with Splunk Enterprise 6 and the Common Information Model

At our annual user’s conference .conf 2013 this year, we announced the latest release of Splunk Enterprise – Splunk Enterprise 6. Splunk 6 introduces new analytics features that make it easy for anyone to gain the critical insights they need from Machine Data. One of the key analytics features is Data Models. Data Models create meaningful relationships with the raw data. In a way creating structure around your unstructured machine data. This means that you can easily create common unifying hierarchies across multiple data sources and data types. Once created Data Models are used and accessed via the Pivot interface to rapidly create visualizations and dashboards without needing to understand the underlying raw data. They provide an authoritative view of the machine data and can easily be shared.

Taking this to the next level, to further simplify data extraction, we introduce the Splunk Common Information Model (CIM). The Splunk CIM ships with 15 data models such as Alerts, Application State, Change Analysis, Network Sessions, Performance, Vulnerabilities and more. Each of these data models contains objects relevant to that specific category. Think of the CIM as a set of field names, attributes and tags that define the least common denominator across different domains.

If you’re using the Splunk App for VMware to index VMware data into the Splunk 6 platform (yes, the VMware App is compatible with Splunk 6), note that it’s CIM compliant. The CIM currently maps the VMware data into 3 data models – Compute Inventory, Performance and Alerts, each containing pre-defined objects. For instance, the Performance data model within the CIM contains objects like CPU, Memory, Network, OS and Storage and each of these objects contain fields such as cpu_load_percent, cpu_time, mem_free, mem_used…. The CIM maps the data indexed by the VMware App into these fields.

If you are indexing data from a custom source and it’s CIM compliant, then, these fields get auto-populated for the new data source as well.

For example, let’s say you are indexing alerts data from a custom application and the alerts conform to the published CIM. Correlating alerts at the application level with alerts from the VMware level is now super easy. Let’s say there is a spike in application response times, you can now use the pivot interface to quickly figure out when alerts at the application level coincided with alerts at the hypervisor level, and then pivot again to see when there were performance related events at the hypervisor level that caused the alerts.  All with a few clicks in the UI.

As we build more apps, more and more will comply with the CIM – allowing easier pivoting between different data sources and finding causality.

What does this mean to you?

  1. Leverage the power of Splunk 6 platform on top of your VMware data to create data models and extract useful fields for advanced reporting with the Splunk App for VMware
  2. Easily extract data across heterogeneous technologies into common fields to leverage the power of the platform and simplifying data correlation with the Splunk Common Information Model
  3. And lastly, drive self-serve analytics across your enterprise with Splunk 6

As always we’d love your feedback. So, don’t hesitate to let us know what you think of our improvements and what we can do to help you.

----------------------------------------------------
Thanks!
Priya Balakrishnan

Splunk
Posted by

Splunk

Join the Discussion