Configuring OCSF CIM add-on

Install the Common Information Model (CIM) and the OCSF CIM add-on.
Follow these steps to configure the OCSF CIM add-on:
  1. On Splunk Platform, access the app configuration page by going to Manage apps and then scrolling to the OCSF CIM add-on from the list.
  2. Select Set up.
  3. Configure OCSF sourcetypes by selecting all the sourcetypes that contain OCSF-formatted data and to which you want to apply the OCSF field extractions.
    1. Navigate to OCSF-CIM TA Setup page to configure sourcetypes. You must prefix OCSF sourcetypes with ocsf. For example, ocsf:aws:asl
Adding a sourcetype to this configuration creates a stanza in $SPLUNK_HOME/etc/apps/ocsf_cim_addon_for_splunk/local/props.conf that contains the necessary field extractions.