Splunk Core Certified Power User — Question 181
Which Knowledge Object does the Splunk Common Information Model (CIM) use to normalize data, in addition to field aliases, event types, and tags?
Answer options
- A. Macros
- B. Lookups
- C. Workflow actions
- D. Field extractions
Correct answer: B, D
Explanation
The correct answer is B, Lookups, as they are specifically designed to enrich and normalize data by mapping values from one set to another. While D, Field extractions, are important for data parsing, they do not primarily serve the function of normalization within the CIM framework.