What should be used to map a non-standard field name to a CIM field name?
What should be used to map a non-standard field name to a CIM field name?
To map a non-standard field name to a CIM (Common Information Model) field name, a field alias should be used. Field aliases allow existing fields to be referenced by multiple names, enabling the mapping of non-standard field names to standardized CIM field names. This ensures that data conforms to the CIM schema without changing the original field names.
A is the correct answer. Reference from 'Administering Splunk ES' - page 209: Field aliases to map non-standard field names to CIM field names
A is right
You use a field alias to alias an existing field to a CIM compliant field, thus making the non-compliant field, compliant via proxy.
can anyone explain why is correct answer is A?