What should be used to map a non-standard field name to a CIM field name?

Using a field alias is the appropriate method to map a non-standard field name to a Common Information Model (CIM) field name in Splunk. Field aliases allow users to create an alternate name for a field that can be used in searches, reports, and dashboards, effectively connecting non-standard field names from the source data to standardized CIM fields. This ensures that the data can be analyzed consistently across various sources and applications, as CIM is designed to unify data from different systems into a common format.

Field aliases provide flexibility by allowing you to reference the same data in multiple ways, which is particularly useful in environments where data ingestion comes from a variety of sources that may not adhere to the same naming conventions. This mapping permits users to leverage existing CIM-based knowledge objects and capabilities in Splunk without needing to change the structure of the original data sources.

Other options like search time extraction refer to the process of extracting fields from incoming data on the fly during search time, but they do not directly address the integration with CIM. Tags are used for categorization and simplistically labeling events, while eventtypes organize events into logical groups based on search criteria — neither serves to map non-standard field names directly to CIM fields.