Network Resolution (DNS)
The fields and tags in the Network Resolution (DNS) data model describe DNS traffic, both server:server and client:server.
Tags used with the DNS event object
The following tags act as constraints to identify your events as being relevant to this data model. For more information, see "How to use these reference tables."
Object name | Tag name |
---|---|
DNS | network |
resolution | |
dns |
Fields for the Network Resolution event object
The following table lists the extracted and calculated fields for the event object in the model. The table does not include any inherited fields. For more information, see "How to use these reference tables."
Object name | Field name | Data type | Description | Expected values |
---|---|---|---|---|
DNS | additional_answer_count
|
number | Number of entries in the "additional" section of the DNS message. | |
DNS | answer
|
string | Resolved address for the query. | |
DNS | answer_count
|
number | Number of entries in the answer section of the DNS message. | |
DNS | authority_answer_count
|
number | Number of entries in the "authority" section of the DNS message. | |
DNS | dest
|
string | The destination of the network resolution event. You can alias this from more specific fields, such as dest_host , dest_ip , or dest_name .
|
|
DNS | dest_category
|
string | The category of the network resolution target, such as email_server or SOX-compliant .This field is automatically provided by Asset and Identity correlation features of applications like the Splunk App for Enterprise Security. |
|
DNS | dest_port
|
number | The destination port number. | |
DNS | dest_priority
|
string | The priority of the destination, if applicable. | |
DNS | duration
|
number | The time taken by the network resolution event, in seconds. | |
DNS | message_type
|
string | Type of DNS message. | Query, Response, unknown
|
DNS | query
|
string | The domain which needs to be resolved. Applies to messages of type "Query". | |
DNS | query_count
|
number | Number of entries that appear in the "Questions" section of the DNS query. | |
DNS | query_type
|
string | The DNS OpCode name as defined in https://tools.ietf.org/html/rfc2929#section-2.2. | Query, IQuery, Status, Notify, Update, unknown
|
DNS | reply_code
|
string | Return code for the response as defined in https://tools.ietf.org/html/rfc2929#section-2.3. | NoError, FormErr, ServFail, NXDomain, NotImp, Refused, YXDomain, YXRRSet, NotAuth, NotZone, BADVERS, BADSIG, BADKEY, BADTIME, BADMODE, BADNAME, BADALG, unknown
|
DNS | reply_code_id
|
number | Numerical id of the return code as defined in https://tools.ietf.org/html/rfc2929#section-2.3. | 0-10, 16-21
|
DNS | response_time
|
number | The amount of time it took to receive a response in the network resolution event, if applicable. | |
DNS | src
|
string | The source of the network resolution event. You can alias this from more specific fields, such as src_host , src_ip , or src_name .
|
|
DNS | src_bunit
|
string | The business unit of the source. This field is automatically provided by Asset and Identity correlation features of applications like the Splunk App for Enterprise Security. |
|
DNS | src_category
|
string | The category of the source, such as email_server or SOX-compliant .This field is automatically provided by Asset and Identity correlation features of applications like the Splunk App for Enterprise Security. |
|
DNS | src_port
|
number | The port number of the source. | |
DNS | src_priority
|
string | The priority of the source. | |
DNS | tag
|
string | This automatically generated field is used to access tags from within datamodels. Add-on builders do not need to populate it. | |
DNS | transaction_id
|
number | The unique numerical transaction id of the network resolution event. | |
DNS | transport
|
string | The transport protocol used by the network resolution event. | |
DNS | ttl
|
number | The time-to-live of the network resolution event. | |
DNS | vendor_product
|
string | The vendor product name of the DNS server. The Splunk platform can derive this field from the fields vendor and product in the raw data, if they exist.
|
Malware | Network Sessions |
This documentation applies to the following versions of Splunk® Common Information Model Add-on: 4.2.0, 4.3.0, 4.3.1
Feedback submitted, thanks!