Normalization Pipeline · The Assess Stage
CIM Assessment Toolkit
The Machine Data Insights Pipeline
Measures CIM compliance at the dataset and sourcetype level - not just the data model level - so you find the gaps that silently break Splunk Enterprise Security correlation searches. Five quantified KPIs, an impact-ranked remediation queue, a curated 845-sourcetype inventory, and an automated executive Word report.
Turning Data Into Gold™
What it does
From model averages to dataset-level truth.
CAT is the free Splunkbase app MDI uses to quantify CIM compliance
before any engineering work begins. It collects per-field event counts,
distinct values, prescribed-value compliance, and acceleration health
across every CIM data model in your environment - then produces five
quantified KPIs, an impact-ranked remediation queue, and an automated
executive Word report. Where data model averages hide real exposure,
CAT measures every index + sourcetype
combination so the gaps surface.
Dataset-level, not just model-level.
Most teams measure CIM compliance at the data model level and
miss the gaps that are silently breaking Splunk ES correlation
searches. Authentication is 87% mapped sounds healthy
until you discover that half the sourcetypes feeding Authentication
have zero mapped fields. CAT measures every index +
sourcetype combination across five quantified scores -
so the model average can never hide a real exposure.
The same pipeline produces Cribl packs, and compares add-on versions at the configuration level so upgrades never silently break CIM coverage.
Data Model Test tab - validate a TA in five clicks
CIM Assessment Report - the cover your CISO sees first
Reports your CISO will actually read.
A custom Splunk alert action produces a professional Word document on a schedule you choose. Cover page with KPI scorecards and an overall compliance rating, executive summary, compliance tables, field-level gap analysis, impact-ranked remediation priorities, and acceleration health. Scope-aware: produce a security-only report for the SOC, an operational report for IT, or a custom-category report for compliance. Zero pip dependencies - runs on Splunk's bundled Python with no external packages required.
What you get
Inside the dashboard.
Six surfaces in one app turn raw indexed data into a quantified, actionable CIM compliance picture.
Five quality KPIs
CIM Coverage, Mapping Quality, Data Quality, Value Compliance, and Overall Quality - five color-coded scores across every index + sourcetype, with trend charts that show whether you're improving or regressing.
Curated sourcetype inventory
Ships with a curated catalog of 845 industry sourcetypes pre-classified by vendor, security relevance, scope, and provenance - so the Unmapped Data tab is instantly useful instead of starting from an empty spreadsheet.
Impact-ranked remediation
Remediation Priorities ranks sourcetypes by impact score (low quality x high event volume = your first hour of work), with required tags and missing field counts already calculated.
Data Model Test tab
Pick a model, dataset, and sourcetype; CAT generates and runs the equivalent | from datamodel search and shows per-field fill-rate scoring color-coded by tier. Catch a missing extraction in seconds rather than days.
Acceleration Health
Per-model acceleration completion, time range coverage, retention, and errors - so when scores look bad you know whether it's a CIM problem or an acceleration problem.
Scope-aware Word reports
A custom Splunk alert action generates a professional .docx report - KPI scorecards, executive summary, gap analysis, remediation priorities - and emails it on schedule. Scope filters produce security-only, operational-only, or custom-category reports from one install.
Need to know your ES detection coverage?
CAT is the assessment foundation of the MDI CIM Normalization Pipeline. Install it from Splunkbase, or talk to MDI about a structured assessment engagement built around it.
Start a Conversation →