Building cool stuff together.
Introducing Splunk's
Common Information and Action Model
@authors Matt Turner & Alejandro Varela
Vision Statement
To create a standardized format for application logs across all APIs, Windows services, etc., enabling seamless integration with log aggregators like Splunk for efficient log processing, analysis, and alerts creation.
Problem Statement
Our applications write logs in different formats.
This inconsistency makes aggregation and analysis difficult and undermines the benefits of Splunk.
Proposed Solution
Adopt CIAM — Common Information and Action Model — for standardized logging across the enterprise.
What is CIAM?
An extension of Splunk’s Common Information Model (CIM) that:
- Provides a shared semantic structure.
- Normalizes and standardizes logs from different sources.
- Supports interoperability with Splunk dashboards, alerts, and analytics.
What CIAM Does
- Uses consistent field names and data types.
- Applies semantic meaning to log content.
- Ensures that all logs follow the same structure:
- e.g.,
clientIP→src_ip
- e.g.,
Key Components
Interoperability
CIM logs = plug-and-play in Splunk. No custom parsing.
Action Modeling
Captures intent and result: e.g., login success/failure.
Field Normalization
Common fields: timestamp, user, src_ip, dest_ip, action, status.
Event Categorization
Identify logs as auth, access, error, or transaction.
Why CIAM Matters
Without CIAM:
- Logs are fragmented and inconsistent.
- Manual correlation is hard.
- Monitoring lacks depth.
With CIAM:
- Logs become interoperable.
- Correlation is seamless.
- Alerting is precise.
Benefits of CIAM
- Standardized Log Format
- Seamless Splunk Integration
- Log Correlation Across Systems
- Scalability and Future-Readiness
Implementation Plan
Phase 1: Planning & Design
- Review Splunk CIM documentation
- Define event types (e.g., logins, errors)
- Map your app events to existing CIM models
Phase 2: Field Mapping in Splunk
- Ingest logs as-is (JSON recommended)
- Use Splunk field aliases:
-
clientIP→src_ip -
userId→user
-
- Tools:
- Splunk UI
- Props & Transforms
- CIM Add-ons
Phase 3: Validation & Testing
- Use JSON schema validator
(e.g., Newtonsoft.Json.Schema) - Perform unit & integration tests on log output
Phase 4: Deployment & Integration
- Forward logs to Splunk using:
- HEC
- File + Universal Forwarder
- Syslog
- Validate data model compliance
Phase 5: Monitoring & Iteration
- Build dashboards & alerts
- Refactor services over time
- Review CIAM usage quarterly
Note for Developers
This plan is based on .NET Web API—but CIAM applies to any platform or language.
Glossary
- CIAM – Common Information and Action Model
- CIM – Common Information Model
- Field Alias – Mapping from custom to standard field
- HEC – HTTP Event Collector
- Universal Forwarder – Lightweight Splunk agent
Let’s Build Better Logs
CIAM isn’t just structure—
it’s strategy, scalability, and smarter operations.
Learn More…
Questions?
Copy of Slides AI
By Matt Turner
Copy of Slides AI
Introducing Slides AI, an innovative tool that will streamline the way you create presentations. Powered by OpenAI GPT.
