Splunk® Common Information Model Add-on

Common Information Model Add-on Manual

Download manual as PDF

Download topic as PDF

Web

The fields in the Web data model describe web server and/or proxy server data in a security or operational context.

Note: A dataset is a component of a data model. In versions of the Splunk platform prior to version 6.5.0, these were referred to as data model objects.

Tags used with the Web event datasets

The following tags act as constraints to identify your events as being relevant to this data model. For more information, see How to use these reference tables.

Dataset name Tag name
Web web
|____ Proxy
proxy

Fields for Web event datasets

The following table lists the extracted and calculated fields for the event datasets in the model. Note that it does not include any inherited fields. For more information, see How to use these reference tables.

Dataset name Field name Data type Description Possible values
Web action string The action taken by the server or proxy.
Web app string The app recording the data, such as IIS, Squid, or Bluecoat.
Web bytes number The total number of bytes transferred (bytes_in + bytes_out).
Web bytes_in number The number of inbound bytes transferred.
Web bytes_out number The number of outbound bytes transferred.
Web cached boolean Indicates whether the event data is cached or not. true, false, 1, 0
Web category string The category of traffic, such as may be provided by a proxy server.
Web cookie string The cookie file recorded in the event.
Web dest string The destination of the network traffic (the remote host). You can alias this from more specific fields, such as dest_host, dest_ip, or dest_name.
Web dest_bunit string These are derived fields provided by Asset and Identity correlation features of certain advanced applications like Splunk Enterprise Security. They should be left blank when writing add-ons.
Web dest_category string
Web dest_priority string
Web duration number The time taken by the proxy event, in milliseconds.
Web http_content_type string The content-type of the requested HTTP resource.
Web http_method string The HTTP method used in the request. GET, PUT,POST, DELETE, etc.
Web http_referrer string The HTTP referrer used in the request. The W3C specification and many implementations misspell this as http_referer. Use a FIELDALIAS to handle both key names.
Web http_user_agent string The user agent used in the request.
Web http_user_agent_length number The length of the user agent used in the request.
Web response_time number The amount of time it took to receive a response, if applicable, in milliseconds.
Web site string The virtual site which services the request, if applicable.
Web src string The source of the network traffic (the client requesting the connection).
Web src_bunit string These are derived fields provided by Asset and Identity correlation features of certain advanced applications like Splunk Enterprise Security. They should be left blank when writing add-ons.
Web src_category string
Web src_priority string
Web status string The HTTP response code indicating the status of the proxy request. 404, 302, 500, and so on.
Web tag string This automatically generated field is used to access tags from within datamodels. Add-on builders do not need to populate it.
Web uri_path string The path of the resource served by the webserver or proxy.
Web uri_query string The path of the resource requested by the client.
Web url string The URL of the requested HTTP resource.
Web url_length number The length of the URL.
Web user string The user that requested the HTTP resource.
Web user_bunit string These are derived fields provided by Asset and Identity correlation features of certain advanced applications like Splunk Enterprise Security. They should be left blank when writing add-ons.
Web user_category string
Web user_priority string
Web vendor_product string The vendor and product of the proxy server, such as Squid Proxy Server. This field can be automatically populated by vendor and product fields in your data.
PREVIOUS
Vulnerabilities
  NEXT
Approaches to using the CIM

This documentation applies to the following versions of Splunk® Common Information Model Add-on: 4.1.0, 4.1.1, 4.2.0, 4.3.0, 4.3.1, 4.4.0, 4.5.0, 4.6.0, 4.7.0


Comments

Hi Johnmccash, no, you should not include the leading '?' of the query. Thanks!

Rpille splunk, Splunker
December 8, 2016

Is uri_query supposed to contain the leading '?' or not?

Johnmccash
December 8, 2016

Thanks, SaintN. The models are kept as lean as possible so that, when accelerated, they can efficiently surface the minimum fields required for alerting purposes. If your logs split the value of the destination across multiple fields, you can extract and concatenate values from those other fields into the dest field.

Rpille splunk, Splunker
December 2, 2016

Why not have a dest_ip and dest_host in the Web CIM? Only aliasing one of those two values into "dest" isn't sufficient.

SaintN
November 22, 2016

Thanks, Mrsprague. I have updated the vendor_product field description here and on several other models to reflect that the field should cover both vendor and product and that it can be extracted from the raw vendor and product fields, if they exist. Thanks!

Rpille splunk, Splunker
February 11, 2016

It looks like there might be an error in the 'vendor_product' field specification. "The vendor of the proxy server, such as Squid Proxy Server." looks like what 'vendor' used to be defined as.

Mrsprague
February 11, 2016

Thanks for your comment, Mrsprague. We formerly documented "allowed, blocked, unknown" as the values for this field, but deleted them because they are not actually enforced by the model. There is an enhancement request filed to be more consistent with whether and how we prescribe values for this field across models, and I'll add your comment to help it along. Thanks!

Rpille splunk, Splunker
January 6, 2016

Should the action field perhaps specify possible values of "allowed, blocked, unknown" in order to better align with other data models for correlation?

Mrsprague
December 21, 2015

In the actual data model, the Web object is actually constrained by "sourcetype=iis". Is this a bug?

Kundeng
April 27, 2015

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters