This documentation does not apply to the most recent version of Splunk® Common Information Model Add-on.
For documentation on the most recent version, go to the latest release.
Download topic as PDF
Web
The fields in the Web data model describe web server and/or proxy server data in a security or operational context.
Tags used with the Web event objects
Object name | Tag name |
---|---|
Web | web |
|
proxy |
Fields for Web event objects
Object name | Field name | Data type | Description | Possible values |
---|---|---|---|---|
Web | action
|
string | The action taken by the server or proxy. | |
Web | app
|
string | The app recording the data, such as IIS, Squid, or Bluecoat. | |
Web | bytes
|
number | The total number of bytes transferred (bytes_in + bytes_out ).
|
|
Web | bytes_in
|
number | The number of inbound bytes transferred. | |
Web | bytes_out
|
number | The number of outbound bytes transferred. | |
Web | category
|
string | The category of traffic, such as may be provided by a proxy server. | |
Web | cookie
|
string | The cookie file recorded in the event. | |
Web | dest
|
string | The destination of the network traffic (the remote host). May be aliased from more specific fields, such as dest_host , dest_ip , or dest_name .
|
|
Web | dest_bunit
|
string | These are derived fields provided by Asset and Identity correlation features of certain advanced applications like the Splunk App for Enterprise Security. They should be left blank when writing add-ons. | |
Web | dest_category
|
string | ||
Web | dest_priority
|
string | ||
Web | duration
|
number | The time taken by the proxy event, in seconds. | |
Web | http_content_type
|
string | The content-type of the requested HTTP resource. | |
Web | http_method
|
string | The HTTP method used in the request. | GET , POST , DELETE , and so on.
|
Web | http_referrer
|
string | The HTTP referrer used in the request. The W3C specification and many implementations misspell this as http_referer . A FIELDALIAS is recommended to handle both key names.
|
|
Web | http_user_agent
|
string | The user agent used in the request. | |
Web | http_user_agent_length
|
number | The length of the user agent used in the request. | |
Web | site
|
string | The virtual site which services the request, if applicable. | |
Web | src
|
string | The source of the network traffic (the client requesting the connection). | |
Web | src_bunit
|
string | These are derived fields provided by Asset and Identity correlation features of certain advanced applications like the Splunk App for Enterprise Security. They should be left blank when writing add-ons. | |
Web | src_category
|
string | ||
Web | src_priority
|
string | ||
Web | status
|
string | The HTTP response code indicating the status of the proxy request. | 404 , 302 , 500 , and so on.
|
Web | tag
|
string | This automatically generated field is used to access tags from within datamodels. Add-on builders do not need to populate it. | |
Web | uri_path
|
string | The universal resource indicator path of the resource served by the webserver or proxy. | |
Web | uri_query
|
string | The universal resource indicator path of the resource requested by the client. | |
Web | url
|
string | The URL of the requested HTTP resource. | |
Web | url_length
|
number | The length of the URL. | |
Web | user
|
string | The user that requested the HTTP resource. | |
Web | user_bunit
|
string | These are derived fields provided by Asset and Identity correlation features of certain advanced applications like the Splunk App for Enterprise Security. They should be left blank when writing add-ons. | |
Web | user_category
|
string | ||
Web | user_priority
|
string | ||
Web | vendor_product
|
string | The vendor of the proxy server, such as Squid Proxy Server .
|
Last modified on 18 November, 2014
PREVIOUS Vulnerabilities |
NEXT Install the add-on |
This documentation applies to the following versions of Splunk® Common Information Model Add-on: 4.0.0
Feedback submitted, thanks!