Splunk Enterprise Security Certified Admin — Question 87

Which of the following is a way to test for a property normalized data model?

Answer options

• A. Use Audit -> Normalization Audit and check the Errors panel.
• B. Run a | datamodel search, compare results to the CIM documentation for the datamodel.
• C. Run a | loadjob search, look at tag values and compare them to known tags based on the encoding.
• D. Run a | datamodel search and compare the results to the list of data models in the ES normalization guide.

Correct answer: B

Explanation

The correct answer is B, as running a | datamodel search and comparing the results to the CIM documentation allows for a direct evaluation of how well the data model adheres to the Common Information Model standards. Options A, C, and D do not specifically assess conformity to the CIM documentation, thus making them less suitable for this purpose.