Configuration

The following page describes how to configure the OCSF-CIM Add-On for Splunk.

Accessing the configuration page

Under Manage Apps, navigate to the OCSF-CIM Add-On for Splunk list entry and press the Set up link.

Configure OCSF Sourcetypes

Select all sourcetypes that contain OCSF-formatted data and you want OCSF field extractions applied to.

Info

Adding a sourcetype to this configuration will create a stanza in $SPLUNK_HOME/etc/apps/ocsf_cim_addon_for_splunk/local/props.conf that contains the necessary field extractions.