Configuring OCSF CIM add-on

Install the Common Information Model (CIM) and the OCSF CIM add-on.

Follow these steps to configure the OCSF CIM add-on:

On Splunk Platform, access the app configuration page by going to Manage apps and then scrolling to the OCSF CIM add-on from the list.
Select Set up.
Configure OCSF sourcetypes by selecting all the sourcetypes that contain OCSF-formatted data and to which you want to apply the OCSF field extractions.
1. Navigate to OCSF-CIM TA Setup page to configure sourcetypes. You must prefix OCSF sourcetypes with ocsf. For example, ocsf:aws:asl

Adding a sourcetype to this configuration creates a stanza in $SPLUNK_HOME/etc/apps/ocsf_cim_addon_for_splunk/local/props.conf that contains the necessary field extractions.

Splunk Enterprise

Splunk Cloud Platform

Splunkbase

Enterprise Security

SOAR

IT Service Intelligence

Content Packs

Splunk Observability Cloud

AppDynamics SaaS

AppDynamics On-Premises

SAP Agent

Developer Documentation

Splunkbase

Splunk Enterprise

Splunk Cloud Platform

Splunkbase

DATA MANAGEMENT

SEARCH AND ANALYTICS

ADMINISTRATION

Enterprise Security

SOAR

ENTERPRISE SECURITY

SOAR

RELATED APPS

IT Service Intelligence

Content Packs

ITSI

IT Ops

ADMINISTRATION

EXTENSIONS

Splunk Observability Cloud

MONITORING

DATA MANAGEMENT

ADMINISTRATION

AppDynamics SaaS

AppDynamics On-Premises

SAP Agent

ESSENTIALS

MONITORING

ADMINISTRATION

Developer Documentation

Splunkbase

PLATFORM

OBSERVABILITY

REFERENCE

Resources

REFERENCE

Learn More

Support

Configuring OCSF CIM add-on