Web

The fields in the Web data model and Web and Proxy event category describe web server and/or proxy server data in a security or operational context.

Tags used with the Web data model, and Web and Proxy event category

Object name(s)	Tag name	Required?
Proxy	proxy	YES
Web	web	YES

Fields for the Web data model, and Web and Proxy event category

Object name(s)	Field name	Data type	Description	Possible values
Web	`action`	string	The action taken by the server or proxy.
Web	`app`	string	The app recording the data, such as IIS, Squid, or Bluecoat.
Web	`bytes`	int	The total number of bytes transferred (`bytes_in` + `bytes_out`).
Web	`bytes_in`	int	The number of inbound bytes transferred.
Web	`bytes_out`	int	The number of outbound bytes transferred.
Web	`category`	string	The category of traffic, such as may be provided by a proxy server.
Web	`cookie`	string	The cookie file recorded in the event.
Web	`dest`	string	The destination of the network traffic (the remote host). May be aliased from more specific fields, such as `dest_host`, `dest_ip`, or `dest_name`.
Web	`dest_bunit`	string	These are derived fields provided by Asset and Identity correlation features of certain advanced applications like the Splunk App for Enterprise Security. They should be left blank when writing add-ons.
Web	`dest_category`	string
Web	`duration`	int	The time taken by the proxy event, in seconds.
Web	`http_content_type`	string	The content-type of the requested HTTP resource.
Web	`http_method`	string	The HTTP method used in the request.	`GET`, `POST`, `DELETE`, and so on.
Web	`http_referrer`	string	The HTTP referrer used in the request.
Web	`http_user_agent`	string	The user agent used in the request.
Web	`http_user_agent_length`	int	The length of the user agent used in the request.
Web	`product`	string	The product name of the proxy server, such as `SecureGateway`, `ISA`, or `Squid Proxy Server`. This field is used to automatically produce the vendor_product field used by data models.
Web	`site`	string	The virtual site which services the request, if applicable.
Web	`src`	string	The source of the network traffic (the client requesting the connection).
Web	`src_bunit`	string	These are derived fields provided by Asset and Identity correlation features of certain advanced applications like the Splunk App for Enterprise Security. They should be left blank when writing add-ons.
Web	`src_category`	string
Web	`status`	int	The HTTP response code indicating the status of the proxy request.	`404`, `302`, `500`, and so on.
Web	`tag`	string	This automatically generated field is used to access tags from within datamodels. Add-on builders do not need to populate it.
Web	`uri_path`	string	the universal resource indicator path of the resource served by the webserver or proxy.
Web	`uri_query`	string	the universal resource indicator path of the resource requested by the client.
Web	`url`	string	The URL of the requested HTTP resource.
Web	`url_length`	int	The length of the URL.
Web	`user`	string	The user that requested the HTTP resource.
Web	`user_bunit`	string	These are derived fields provided by Asset and Identity correlation features of certain advanced applications like the Splunk App for Enterprise Security. They should be left blank when writing add-ons.
Web	`user_category`	string
Web	`vendor`	string	The vendor of the proxy server, such as `Apache`, `BlueCoat`, `Microsoft`, or `Squid`. This field is used to automatically produce the vendor_product field used by data models.

Common Information Model Add-on Manual

Related Answers

Web

Comments