Which knowledge object is used to normalize field names to comply with the Splunk Common Information Model (CIM)?
Which knowledge object is used to normalize field names to comply with the Splunk Common Information Model (CIM)?
The correct knowledge object used to normalize field names to comply with the Splunk Common Information Model (CIM) is a 'Field alias'. A field alias allows you to map field names to other names to ensure consistent naming conventions, which is essential for the normalization process in CIM.
FX, Alias and Lookup. So here it would be option C only. Ref: https://docs.splunk.com/Documentation/CIM/5.1.1/User/UsetheCIMtonormalizedataatsearchtime
We have "Splunk Enterprise knowledge objects include saved searches, event types, tags, field extractions, lookups, reports, alerts, data models, workflow actions, and fields." to choose from, which leaves `Field aliases` out (Source courtesy of Daniel9527: https://docs.splunk.com/Splexicon:Knowledgeobject) Nevertheless, the only find in page match for "to normalize field names" is: b. Create field aliases to normalize field names More precise source: https://docs.splunk.com/Documentation/CIM/latest/User/UsetheCIMtonormalizedataatsearchtime#b._Create_field_aliases_to_normalize_field_names
Field alias is number 5 in the table. Very important to learn by heart: https://docs.splunk.com/Documentation/Splunk/latest/Knowledge/Searchtimeoperationssequence
But Alias is not Knowledge object, is it? https://docs.splunk.com/Splexicon:Knowledgeobject