Splunk® Common Information Model Add-on

Common Information Model Add-on Manual

This documentation does not apply to the most recent version of Splunk® Common Information Model Add-on. For documentation on the most recent version, go to the latest release.

Splunk Audit Logs

This page is currently a work in progress. Any information presented here might be incomplete or incorrect, and frequent near-term updates are expected.

The fields and tags in the Splunk Audit Logs data model and event category describe audit information for systems producing event logs.

Tags and constraints used with the Splunk Audit Logs data model and event category

Object name(s) Constraint Required?
View_Activity index=_internal sourcetype=splunk_web_access method=GET status=200 YES
Datamodel_Acceleration | datamodelinfo YES
Search_Activity `search_activity` YES
Web_Service_Errors index=_internal sourcetype=splunk_web_service tag=error YES

Fields for the Splunk Audit Logs data model and event category

Object name(s) Field name Data type Description Expected values
Datamodel_Acceleration access_count int
Datamodel_Acceleration access_time timestamp
Datamodel_Acceleration app string
Datamodel_Acceleration buckets string
Datamodel_Acceleration bucket_size string
Datamodel_Acceleration cron string
Datamodel_Acceleration complete string
Datamodel_Acceleration datamodel string
Datamodel_Acceleration digest string
Datamodel_Acceleration earliest timestamp
Datamodel_Acceleration is_inprogress boolean
Datamodel_Acceleration last_error string
Datamodel_Acceleration last_sid string
Datamodel_Acceleration latest timestamp
Datamodel_Acceleration mod_time timestamp
Datamodel_Acceleration retention int
Datamodel_Acceleration size int
Datamodel_Acceleration summary_id string
Search_Activity info string
Search_Activity search string
Search_Activity search_type string
Search_Activity user string
View_Activity app string
View_Activity user string
View_Activity view string
Web_Service_Errors event_id string
Last modified on 16 October, 2013
Performance   Updates

This documentation applies to the following versions of Splunk® Common Information Model Add-on: 3.0, 3.0.1, 3.0.2


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters