We want to CIM the fields, is there a way to do it?

Taylor Mill

Hi Team I hope you are doing well. We have been using Cribl to transform all our logs before they hit Splunk. We want to CIM the fields. Is there a way to do it? Thank you so much

Jon Rust

For sure. Cribl gives you complete control rename fields and/or move data around. It is not an easy button tho. You'll need to know your data and how it maps into CIM. I put together an example of this sort of thing in the Cisco ASA https://packs.cribl.io|pack

Raanan Dagan

Another good example is this pack: https://packs.cribl.io/ -> AWS VPC Flow for Security Teams

Taylor Mill

Thank you so much.