Building cool stuff together.

Introducing  Splunk's

Common Information and Action Model  

 

@authors Matt Turner & Alejandro Varela

Vision Statement

To create a standardized format for application logs across all APIs, Windows services, etc., enabling seamless integration with log aggregators like Splunk for efficient log processing, analysis, and alerts creation.

Problem Statement

Our applications write logs in different formats.

This inconsistency makes aggregation and analysis difficult and undermines the benefits of Splunk.

Proposed Solution

Adopt CIAM — Common Information and Action Model — for standardized logging across the enterprise.

What is CIAM?

An extension of Splunk’s Common Information Model (CIM) that:

  • Provides a shared semantic structure.
  • Normalizes and standardizes logs from different sources.
  • Supports interoperability with Splunk dashboards, alerts, and analytics.

What CIAM Does

  • Uses consistent field names and data types.
  • Applies semantic meaning to log content.
  • Ensures that all logs follow the same structure:
    • e.g., clientIPsrc_ip

Key Components

Interoperability

CIM logs = plug-and-play in Splunk. No custom parsing.

Action Modeling

Captures intent and result: e.g., login success/failure.

Field Normalization

Common fields: timestamp, user, src_ip, dest_ip, action, status.

Event Categorization

Identify logs as auth, access, error, or transaction.

Why CIAM Matters

Without CIAM:

  • Logs are fragmented and inconsistent.
  • Manual correlation is hard.
  • Monitoring lacks depth.

With CIAM:

  • Logs become interoperable.
  • Correlation is seamless.
  • Alerting is precise.

Benefits of CIAM

  1. Standardized Log Format
  2. Seamless Splunk Integration
  3. Log Correlation Across Systems
  4. Scalability and Future-Readiness

Implementation Plan

Phase 1: Planning & Design

  • Review Splunk CIM documentation
  • Define event types (e.g., logins, errors)
  • Map your app events to existing CIM models

Phase 2: Field Mapping in Splunk

  • Ingest logs as-is (JSON recommended)
  • Use Splunk field aliases:
    • clientIPsrc_ip
    • userIduser
  • Tools:
    • Splunk UI
    • Props & Transforms
    • CIM Add-ons

Phase 3: Validation & Testing

  • Use JSON schema validator
    (e.g., Newtonsoft.Json.Schema)
  • Perform unit & integration tests on log output

Phase 4: Deployment & Integration

  • Forward logs to Splunk using:
    • HEC
    • File + Universal Forwarder
    • Syslog
  • Validate data model compliance

Phase 5: Monitoring & Iteration

  • Build dashboards & alerts
  • Refactor services over time
  • Review CIAM usage quarterly

Note for Developers

This plan is based on .NET Web API—but CIAM applies to any platform or language.

Glossary

  • CIAM – Common Information and Action Model
  • CIM – Common Information Model
  • Field Alias – Mapping from custom to standard field
  • HEC – HTTP Event Collector
  • Universal Forwarder – Lightweight Splunk agent

Let’s Build Better Logs

CIAM isn’t just structure—
it’s strategy, scalability, and smarter operations.

Learn More…

Questions?

Made with Slides.com