Splunk® Enterprise

Knowledge Manager Manual

Download manual as PDF

Splunk Enterprise version 5.0 reached its End of Life on December 1, 2017. Please see the migration information.
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Download topic as PDF

Understand and use the Common Information Model

The Common Information Model is based on the idea that you can break down most log files into two components:

  • fields
  • field category tags

With these two components a savvy knowledge manager should be able to set up their log files in a way that makes them easily processable by Splunk and which normalizes noncompliant log files and forces them to follow a similar schema. The Common Information model details the standard fields and field category tags that Splunk uses when it processes most IT data.

Normalizing the standard event format

This is the recommended format that should be used when events are generated or written to a system:

<timestamp> name="<name>" event_id=<event_id> <key>=<value>

Any number of field key-value pairs are allowed. For example:

2008-11-06 22:29:04 name="Failed Login" event_id=sshd:failure src_ip=10.2.3.4 src_port=12355 dest_ip=192.168.1.35 dest_port=22

The keys are ones that are listed in the "Standard fields below". name and event_id are mandatory.

When events coming from a CISCO PIX log are compliant with the Common Information Model format, the following PIX event:

Sep 2 15:14:11 10.235.224.193 local4:warn|warning fw07 %PIX-4-106023: Deny icmp src internet:213.208.19.33 dst eservices-test-ses-public:193.8.50.70 (type 8, code 0) by access-group "internet_access_in"

looks as follows:

2009-09-02 15:14:11 name="Deny icmp" event_id=106023 vendor=CISCO product=PIX log_level=4 dvc_ip=10.235.224.193 dv_host=fw07 syslog_facility=local4 syslog_priority=warn src_ip=213.208.19.33 dest_ip=193.8.50.70 src_network=internet dest_network=eservices-test-ses-public icmp_type=8 icmp_code=0 protocol=icmp rule_number="internet_access_in"

Standard fields and event category tags

This section presents lists of standard fields that can be extracted from event data as custom search-time field extractions. Tags for event data are included with each category, if applicable.

Please note that we strongly recommend that all of these field extractions be performed at search time. There is no need to add these fields to the set of default fields that Splunk extracts at index time.

For more information about the index time/search time distinction, see "Index time versus search time" in the Managing Indexers and Clusters manual. For more information about performing field extractions at search time, see "Create search-time field extractions" in this manual.

Note that some of these field extractions are fields that have a narrowly defined set of possible values. For example, in most cases an action field can have only two values: success or failure. Most fields have a wide range of possible values, however. For example, affected_user_id, a six-digit user id number, has a large number of possible values. While the set of possible values for a six-digit user id are finite, you wouldn't try to list all of them.

We've also grouped fields together into event categories. You'll see that in some cases the same field appears in several different categories. This is because the meaning of a field can change depending on the context of the event type it belongs to. For example, in an authentication event, the dest field represents the target of the authentication event (the thing being authenticated). But in an intrusion detection/prevention event, dest usually refers to the destination of the attack detected by the intrusion detection system (the target of the attack).

Note: When Expected values is blank for a field, any value fitting the field's Data type can be used.

Category tags correspond to the event categories described in the field tables. If a tag is listed as required for a particular event category, it should be present for all events that belong to that category. Other tags listed are optional.

Alerts

The fields in the Alerts event category describe the alerts, events, or tasks that should be made available across multiple Splunk contexts. They are not to be used to describe Splunk Alerts or Notable Events.

Tags used with the Alerts event category:

Tag name Required?
alert YES

Fields for the Alerts event category:

Field name Data type Description Expected values
app string The application involved in the event, such as win:app:trendmicro, vmware, nagios.
dest string The destination where the alert message was sent to, such as an email address or SNMP trap. May be aliased from more specific fields, such as dest_host, dest_ip, or dest_name.
body string The body of a message.
id string The unique identifier of a message.
severity string The severity of a message.

Note: This field is a string. Please use a severity_id field for severity ID fields that are integer data types. Specific values are required. Please use vendor_severity for the vendor's own human-readable strings (such as Good, Bad, Really Bad, and so on).
critical, high, medium, low, informational, unknown
severity_id string A numeric severity indicator for a message.
src string The source of the message. May be aliased from more specific fields, such as src_host, src_ip, or src_name. Also see the optional src_* fields listed in Optional Subject Fields.
subject string The message subject. free-form
type string The message type. alarm, alert, event, task, unknown

Application State

The fields in the Application State event category describe service or process inventory and state, such as Unix daemons, Windows services, running processes on any OS, or similar systems.

Field name Data type Description Expected values
dest string The compute resource where the service is installed. May be aliased from more specific fields, such as dest_host, dest_ip, or dest_name.
dest_port MV string Network ports communicated to by the process, such as UDP/53 or TCP/53.
process string The name of a process or service file, such as sqlsrvr.exe or httpd.

Note: This field is not appropriate for service or daemon names, such as SQL Server or Apache Web Server. Service or daemon names belong to the service field (see below). Also, note that this field is a string. Please use a process_id field for process ID fields that are integer data types.
process_id int A numeric indicator (PID) for a process.

Note: This field is an integer. Please use the process field for process names.
service string The name of the service, such as SQL Server or Apache Web Server.

Note: This field is not appropriate for filenames, such as sqlsrvr.exe or httpd. Tilenames should belong to the process field instead. Also, note that field is a string. Please use the service_id field for service ID fields that are integer data types.
service_id int A numeric indicator for a service.

Note: This field is an integer. Please use the service field for service names.
start_mode string The start mode for the service. disabled, enabled, auto, unknown.
status string The status of the service. critical, started, stopped, warning, unknown
transport MV string The network ports listened to by the application process such as UDP/6667 and TCP/8080.
user string The user account the service is running as, such as System or httpdsvc.

Asset

The fields in the Asset event category describe inventory items that should be made available across multiple Splunk app contexts.

Note: Any field in the Asset event category can be optionally prepended with dest_, dvc_, host_, orig_host_, or src_ for enrichment purposes. These fields are not required, but are often used in Apps alongside dest, dvc, host, orig_host, or src if they are available.

Tags are not applicable to the Asset event category.

Fields for the Asset event category:

Field name Data type Description Expected values
bunit string The business unit of the asset, such as Marketing.
category MV string The category of the asset, such as email_server or SOX-compliant.
city string The city where the asset is located, such as San Francisco.
compliance MV string Compliance standards that may apply to this asset, such as PCI or ISO72002.
compliance_group MV string Compliance standard groupings that may apply to this asset, such as cardholder or dmz. Expected values are dependent on compliance Apps; see App-specific documentation.
compliance_rule MV string Compliance rule(s) that are applicable to the asset. Expected values are dependent on compliance Apps; see App-specific documentation.
compliance_section MV string Compliance sections(s) that are applicable to the asset. Expected values are dependent on compliance Apps; see App-specific documentation.
country string The country where the asset is located, such as USA.
dns MV string A fully qualified domain name (FQDN) associated with the asset, such as server42.splunk.com.
ip MV string An IP address (either v4 or v6) associated with the asset, such as 192.168.4.2. Note: Please remove zero-padding on this field.
is_expected boolean A flag indicating whether the asset is expected to continually send data to Splunk. Note: Some apps may alert if is_expected is set to Y for an asset that is not sending data. true, false
lat string The latitude of an asset's location.
location string The physical location of an asset.
long string The longitude of an asset's location.
mac MV string A MAC address associated with the asset, such as 06:10:9f:eb:8f:14. Note: Always force lower case on this field.
name MV string The cross-platform short name or NetBIOS of the asset, such as server42.
owner MV string The owner of the asset, such as jdoe.
priority string The priority of the asset. critical, high, medium, low, informational, unknown
province string The province or state where the asset is located, such as California.
requires_av boolean Flag that indicates whether the asset is expected to use a local antivirus or endpoint protection tool. Note that some apps may alert if requires_av is set to true for an asset that is not running an antivirus service and/or does not have event types properly configured for that service. true, false
should_timesync boolean Flag that indicates whether the asset is expected to maintain time synchronization. Note that some apps may alert if should_timesync is set to true for an asset that is not running a time synchronization service and/or does not have event types properly configured for that service. true, false
should_update boolean Flag that indicates whether the asset is expected to regularly apply patches. Note that some apps may alert if should_update is set to true for an asset that is not running a patching service and/or does not have event types properly configured for that service. true, false
virt_name MV string A virtual or management platform name associated with the asset, such as MKTGPROD-WEB42.

Authentication

The fields in the Authentication event category describe login and logout activities from any data source.

Tags used with the Authentication event category:

Tag name Required?
authentication YES
privileged NO
cleartext NO
insecure NO
default NO

Fields for the Authentication event category:

Field name Data type Description Expected values
action string The action performed on the resource. success, failure, unknown
app string The application involved in the event (such as ssh, splunk, win:local).
dest string The target involved in the authentication. May be aliased from more specific fields, such as dest_host, dest_ip, or dest_nt_host.
src string The source involved in the authentication. In the case of endpoint protection authentication the src is the client. May be aliased from more specific fields, such as src_host, src_ip, or src_nt_host.

Note: Do not confuse src with the event source or sourcetype fields.
src_user string In privilege escalation events, src_user represents the user who initiated the privilege escalation. This field is unnecessary when an escalation has not been performed.
user string The name of the user involved in the event, or who initiated the event. For authentication privilege escalation events this should represent the user targeted by the escalation.

Change Analysis

The fields in the Change Analysis event category describe Create, Read, Update, and Delete activities from any data source.

Tags used with the Change Analysis event category:

Tag name Required?
account NO
change YES
endpoint NO
network NO

Fields for the Change Analysis event category:

Field name Data type Description Expected values
action string The action performed on the resource. created, read, modified, deleted, acl_modified, unknown
change_type string The type of change, such as filesystem or AAA.
command string The command that initiated the change.
dest string The resource where change occurred. May be aliased from more specific fields, such as dest_host, dest_ip, or dest_name.
dvc string The device that reported the change, if applicable, such as a FIP or CIM server. May be aliased from more specific fields, such as dvc_host, dvc_ip, or dvc_name.
file_access_time timestamp The time the file (the object of the event) was accessed.
file_acl string Access controls associated with the file affected by the event.
file_create_time timestamp The time the file (the object of the event) was created.
file_hash string A cryptographic identifier assigned to the file object affected by the event.
file_modify_time timestamp The time the file (the object of the event) was altered.
file_name string The name of the file that is the object of the event (without location information related to local file or directory structure).
file_path string The location of the file that is the object of the event, in local file and directory structure terms.
file_size int The size of the file that is the object of the event, in kilobytes.
object string Name of the affected object on the resource (such as a router interface, user account, or server volume).
object_attrs MV string The attributes that were updated on the updated resource object, if applicable.
object_category string Generic name for the class of the updated resource object. Expected values may be specific to an App. directory, file, group, object, registry, unknown, user
object_id string The unique updated resource object ID as presented to the system, if applicable (for instance, a SID, UUID, or GUID value).
object_path string The path of the modified resource object, if applicable (such as a file, directory, or volume).
product string The product name of the device that detected the change, such as Splunk, IBM, or Tripwire.
src string The resource where the change was originated. May be aliased from more specific fields, such as src_host<code>, <code>src_ip, or src_name.
status string Status of the update. success, failure, unknown
result string The vendor-specific result of a change, or clarification of an action status. For instance, status=failure may be accompanied by result=blocked by policy or result=disk full. Note: result is a string. Please use a msg_severity_id field for severity ID fields that are integer data types.
result_id string A numeric result indicator for an action status.
user string The user or entity performing the change (can be UID or PID).
vendor string The vendor of the file monitoring project, such as UF, TEM, or Enterprise.

Compute Inventory

The fields in the Compute Inventory event category describe common compute infrastructure components from any data source.

Tags used with the Compute Inventory event category:

Tag name Required?
cpu NO
inventory NO
memory NO
network NO
os NO
resource YES
snapshot NO
storage NO
tools NO
virtual NO

Fields for the Compute Inventory event category:

Field name Data type Description Expected values
cpu int The maximum speed of the CPU reported by the resource (in megahertz).
cpu_cores int The number of CPU cores reported by the resource (total, not per CPU).
cpu_count int The number of CPUs reported by the resource.
cpu_vendor string The product vendor of the CPU reported by the resource.
description string A description field provided in some data sources.
dest string The system where the data originated. May be aliased from more specific fields, such as dest_host, dest_ip, or dest_name.
family string The product family of the resource, such as 686_64 or RISC.
hypervisor_enabled string Indicates whether a physical system is hypervisor-enabled. true, false, unknown
hypervisor_host int The hypervisor hosting this resource, if applicable.
hypervisor_id string The hypervisor identifier, if applicable.
interface MV string The network interfaces of the computing resource, such as eth0, eth1 or Wired Ethernet Connection, Teredo Tunneling Pseudo-Interface.
ip MV string The network addresses of the computing resource, such as 192.168.1.1 and E80:0000:0000:0000:0202:B3FF:FE1E:8329.
mac MV string The media access control addresses of the resource, in megabytes.
mem int The total amount of memory installed in or allocated to the resource, in megabytes.
mgmt_address string The management interface address of the resource, if applicable.
model string The product model of the resource, such as i7 or Barracuda.
mount string The path at which a storage resource is mounted.
name string A name field provided in some data sources.
os integer The operating system of the resource, such as Microsoft Windows Server 2008r2. Should be constructed from vendor, product, and version fields.
product string The resource product name, such as DL 380.

Note: Many Apps will merge vendor and product into a single vendor_product field; this may be prepopulated from the data. In addition, the vendor, product, and version fields can be combined to create the os field.
product_version string The resource product version, such as G8.
resource_type string The compute resource's type. array, disk, cluster, network, physical, rpool, system, virtual, vm, unknown
size int The snapshot file size, in megabytes.
snapshot string The name of a snapshot file.
status string The state of a compute resource, such as hypervisor tools, if applicable. critical, installed, started, stopped, warning, uninstalled, unknown
storage int The amount of storage capacity allocated to the resource, in megabytes.
storage_type string Description of the storage technology, such as local:ssd or netapp:iscsi.
vendor string The vendor of the resource, such as HP.

Note: Many Apps will merge vendor and product into a single vendor_product field. This may be populated from the data. In addition, the vendor, product, and version fields can be combined to create the os field.
version string The version of a compute resource, such as 2008r2 or 3.0.0.

DHCP

The fields in the DHCP event category describe DHCP traffic (whether server:server or client:server).

Tags used with the DHCP event category:

Tag name Required?
dhcp YES

Fields for the DHCP event category:

Field name Data type Description Possible values
action string The action taken by the reporting device. added, blocked, unknown
dest string The recipient of a DHCP event (such as a client-service server or a relay server). May be aliased from more specific fields, such as dest_mac, dest_host, dest_ip, or dest_name.
dvc string The DHCP server recording the DHCP event. May be aliased from more specific fields, such as dvc_host, dvc_ip, or dvc_name.
product string The DHCP server product name, such as MS-DHCP.
src string The originator of a DHCP event (such as a querying client or a transferring server). May be aliased from more specific fields, such as src_mac, src_host, src_ip, or src_name.
vendor string The DHCP server vendor name, such as ISC.

DNS

The fields in the DNS event category describe DNS traffic (whether server:server or client:server).

Tags used with the DNS event category:

Tag name Required?
dns YES

Fields for the DNS event category:

Field name Data type Description Possible values
action string The action taken by the reporting device. added, blocked, unknown
app string The handling process, such as MS-DNS or BIND.
dest string The recipient of a DNS event (such as a client-service server or a relay server). May be aliased from more specific fields, such as dest_host, dest_ip, or dest_name.
dest_record string The remote DNS resource record being acted upon.
dest_zone string The DNS zone that is being received by the slave as part of a zone transfer.
dvc string The DNS server recording the DNS event. May be aliased from more specific fields, such as dvc_host, dvc_ip, or dvc_name.
flag string Reports whether the recursion desired flag was set (+ if set, - if not set).
product string The DNS server product name, such as BIND.
query string The DNS domain that has been queried.
record_class string The DNS resource record class ,such as IN (internet - default), HS (Hesiod - historic), or CH (Chaos - historic). IN, HS, CH, unknown
record_type string The DNS resource record type, such as SRV or A (see this Wikipedia article on DNS record types).
src string The originator of a DNS event (such as a querying client or a transferring server). May be aliased from more specific fields, such as src_host, src_ip, or src_name.
src_domain string The local DNS domain that is involved in a domain transfer.
src_record string The local DNS resource record being updated.
src_zone string The DNS zone that is being transferred by the master as part of a zone transfer.
vendor string The DNS server vendor name, such as ISC.

Email

The fields in the Email event category describe email traffic (whether server:server or client:server).

Tags used with the Email event category:

Tag name Required?
email YES

Fields for the Email event category:

Field name Data type Description Possible values
action string Action taken by the reporting device. delivered, blocked, quarantined, unknown
app string The email handling process, such as postfix or domino.
attachment_id MV string The attachment identifier number, if applicable, such as Microsoft Exchange or Lotus Domino.
attachment_type MV string The attachment MIME type.
cc_ip MV string This field is used in a multi-hop email transaction event. It should be the server IP when the event-generating device is acting as a server, such as a mailbox store receiving messages from a hub. IP addresses are specified by normal convention.
cs_ip MV string This field is used in a multi-hop email transaction event. It should be the client IP when the event-generating device is acting as a server, such as a hub receiving mail from a gateway. IP addresses are specified by normal convention.
delay int Total sending delay in seconds.
dest string The endpoint system to which the email was delivered. May be aliased from more specific fields, such as dest_host, dest_ip, or dest_name.
dvc string The email server recording the email event. May be aliased from more specific fields, such as dvc_host, dvc_ip, or dvc_name.
internal_message_id string Host-specific unique message identifier (such as aid in sendmail, IMI in Domino, Internal-Message-ID in Exchange, and MID in Ironport).
message_id string The globally-unique message identifier.
message_size int The email message size, in bytes.
message_subject string The email subject line.
message_priority string The priority of the message.
mime_count int The number of MIME attachments in the email.
mime_titles MV string The titles of MIME attachments in the email.
product string The email server product name, such as Exchange.
protocol string The email protocol involved, such as SMTP and RPC.
recipient MV string A field listing individual recipients, such as recipient="foo@splunk.com", recipient="bar@splunk.com".
recipients string All recipients in a single field, such as recipients="foo@splunk.com,bar@splunk.com".
recipients_number int Number of recipients.
sc_ip MV string This field is used in a multi-hop email transaction event. It should be the server IP when the event-generating device is acting as a client, such as a gateway forwarding to a hub. IP addresses are specified by normal convention.
sender string The email account responsible for sending an email.
sender_auth string The authentication type used by the sender, if any.
src string The system that sent the email. May be aliased from more specific fields, such as src_host, src_ip, or src_name.
ss_ip MV string This field is used in a multi-hop email transaction event. It should be the server IP when the event-generating device is acting as a server, such as a hub pushing mail to a mailbox store. IP addresses are specified by normal convention.
tls_verify string The transportion encryption state of the email, if any. success, failure, unknown
txn_delay int Delay of a single transaction, in seconds.
vendor string The email server vendor name, such as Microsoft.

Identity

The fields in the Identity event category describe individual account holders that should be made available across multiple Splunk app contexts.

Tags are not applicable to the Identity event category.

Fields for the Identity event category:

Field name Data type Description Possible values
bunit string The business unit of the identity, such as Sales.
category MV string The category of the identity, such as sales or customer_facing.
city string The city where the identity is based, such as San Francisco.
country string The country where the identity is based, such as USA.
email MV string The email address (or addresses) associated with the identity is based. Note that this is a multivalue field.
employed_days int The total number of days that the identity has been employed by the organization (either end_date-start_date or now-start_date).
end_date timestamp The end date of the identity, leave blank if not applicable. Note that presence of an end_date in the past may cause some Apps to create alerts from events involving this identity.
first string A first name for the identity, such as Jane.
identity MV string Account names and numbers associated with the identity. Note that this is a multivalue field.
last string A last name for the identity, such as Doe.
lat string The latitude of the identity's base location.
location string The base location for the identity, such as an office name.
long string The longitude of the identity's base location.
managed_by MV string The manager(s) of the identity such as jdoe. Note that this is a multivalue field and should use account names or numbers from the identity field.
nick string A nickname for the identity, such as Moerex.
phone MV string A phone number (or set of phone numbers) for the identity. Note that this is a multivalue field.
prefix string A prefix for the identity, such as Mr..
priority string The priority of the identity. critical, high, medium, low, informational, unknown
start_date timestamp The start date of the identity.
suffix string A suffix for the identity, such as Jr.
watchlist boolean Flag if the identity is on a watchlist. Note that some apps may create alerts for events that involve this identity if this flag is set. true, false

Intrusion Detection/Prevention

The fields in the Intrusion Detection/Prevention event category describe attack detection events gathered by network monitoring devices and apps.

Tags used with the Intrusion Detection/Prevention event category:

Tag name Required?
ids YES
attack YES

Fields for the Intrusion Detection/Prevention event category:

Field name Data type Description Possible values
category string The vendor-provided category of the triggered signature, such as spyware.

Note: This field is a string. Use a category_id field for category ID fields that are integer data types (category_id fields are optional, so they are not included in this table).
dest string The destination of the attack detected by the intrusion detection system (IDS). May be aliased from more specific fields, such as dest_host, dest_ip, or dest_name.
dvc string The device that detected the intrusion event. May be aliased from more specific fields, such as dvc_host, dvc_ip, or dvc_name.
ids_type string The type of IDS that generated the event. network, host, application
product string The product name of the IDS or IPS system, such as ISS or Tipping Point.
severity string The severity of the network protection event.

Note: This field is a string. Please use a severity_id field for severity ID fields that are integer data types (severity_id fields are optional, so they are not included in this table). Also, specific values are required for this field. Use vendor_severity for the vendor's own human readable severity strings (such as Good, Bad, and Really Bad).
critical, high, medium, low, informational, unknown
signature string The name of the intrusion detected on the client (the src), such as PlugAndPlay_BO and JavaScript_Obfuscation_Fre.

Note: This is a string value; please use signature_id for numeric indicators (signature_id fields are optional, so they are not included in this table).
src string The source involved in the attack detected by the IDS. May be aliased from more specific fields, such as src_host, src_ip, or src_name.
user string The user involved with the intrusion detection event.
vendor string The vendor of the IDS or IPS, such as IBM or HP.

Java Virtual Machines

The fields in the Java Virtual Machines event category describe generic Java server platforms.

Tags used with the Java Virtual Machines event category:

Tag name Required?
jvm YES

Fields for the Java Virtual Machines event category:

Field name Data type Description Possible values
class_loading_current int The current count of classes loaded in the JVM.
class_loading_total int The total count of classes loaded in the JVM.
class_loading_unloaded int The total count of classes unloaded from the JVM.
cm_enabled boolean Indicates whether thread contention monitoring is enabled. true, false
cm_supported boolean Indicates whether the JVM supports thread contention monitoring. true, false
compilation_time int Time taken by JIT compilation.
cpu_time_enabled boolean Indicates whether thread CPU time measurement is enabled. true, false
cpu_time_supported boolean Indicates whether the Java virtual machine supports CPU time measurement for the current thread. true, false
current_cpu_time int CPU-space time taken by the JVM, in seconds.
current_user_time int User-space time taken by the JVM, in seconds.
daemon_count int The JVM's current daemon count.
description string A description field provided in some data sources.
dest string The system where the JVM is running. May be aliased from more specific fields, such as dest_host, dest_ip, or dest_name.
jvm_name string The name of the JVM, such as HotSpot.
jvm_process_name string The process name of the JVM, such as java.exe.
jvm_uptime int The JVM's current uptime, in seconds.
jvm_vendor string The vendor of the JVM, such as Oracle.
jvm_version string The version of the JVM, such as 1.6.0_45.
mem_heap_committed int Committed amount of heap memory used by the JVM.
mem_heap_init int Initial amount of heap memory used by the JVM.
mem_heap_committed int Committed amount of heap memory used by the JVM.
mem_heap_max int Maximum amount of heap memory used by the JVM.
mem_heap_used int Heap memory used by the JVM.
mem_non_heap_committed int Committed amount of non-heap memory used by the JVM.
mem_non_heap_init int Initial amount of non-heap memory used by the JVM.
mem_non_heap_committed int Committed amount of non-heap memory used by the JVM.
mem_non_heap_max int Maximum amount of non-heap memory used by the JVM.
mem_non_heap_used int Non-heap memory used by the JVM.
objects_pending int Number of objects pending in the JVM.
omu_supported boolean Indicates whether the JVM supports monitoring of object monitor usage. true, false
started_at timestamp The JVM's start time.
sync_supported boolean Indicates whether the JVM supports monitoring of ownable synchronizer usage. true, false
thread_count int The JVM's current thread count.
thread_peak int The JVM's peak thread count.
threads_started int The total number of threads started in the JVM.

Malware

The fields in the Malware event category describe malware detection and endpoint protection management.

Tags used with the Malware event category:

Tag name Required?
attack YES
malware YES
operations YES

Fields for the Malware event category:

Field name Data type Description Possible values
action string The action taken by the reporting device. allowed, blocked, quarantined, unknown
category string The category of the malware event, such as keylogger or ad-supported program.

Note: This is a string value. Use a category_id field for category ID fields that are integer data types (category_id fields are optional, so they are not included in this table).
dest string The system that was affected by the malware event. May be aliased from more specific fields, such as dest_host, dest_ip, or dest_name.
dest_nt_domain string The NT domain of the destination, if applicable.
product string The product name of the endpoint protection system, such as AntiVirus or Server Protect.
product_version string The product version number of the vendor technology installed on the client, such as 10.4.3 or 11.0.2.
signature string The name of the malware infection detected on the client (the src), such as Trojan.Vundo, Spyware.Gaobot, and W32.Nimbda.

Note: This is a string value. Use a signature_id field for signature ID fields that are integer data types (signature_id fields are optional, so they are not included in this table).
signature_version string The current signature set (a.k.a. definitions or DAT file) running on the client, such as 11hsvx.
src string The source of the endpoint event, such as a DAT file relay server. May be aliased from more specific fields, such as src_host, src_ip, or src_name.
src_nt_domain string The NT domain of the src, if applicable.
user string The user involved in the malware event.
vendor string The name of the endpoint protection vendor, such as Symantec or TrendMicro.

Network Fabric

The fields in the Network Fabric event category describe network infrastructure inventory and topology.

Tags used with the Network Fabric event category:

Tag name Required?
network YES
resource YES

Fields for the Network Fabric event category:

Field name Data type Description Possible values
description string A description field provided in some data sources.
dest string The source of the event. May be aliased from more specific fields, such as dest_host, dest_ip, or dest_name.
interface_count int The number of interfaces on the resource.
interface_status string The current reported state of an interface on the resource. up, down, healthy, failed, unknown
location string A location indicator for the resource.
product string The product name of the resource, such as Catalyst 3850.
product_version string The product version of the resource.
resource_type string The resource type definition. switch, router, firewall, virtual, unknown
serial string The serial number of the resource.
status string The current reported state of the resource. up, down, healthy, failed, unknown
vendor string The resource vendor, such as Cisco.

Network Traffic

The fields in the Network Traffic event category describe flows of data cross network infrastructure components.

Tags used with the Network Traffic event category:

Tag name Required?
network YES
communicate YES

Fields for the Network Traffic event category:

Field name Data type Description Possible values
action string The action taken by the network device. allowed, blocked, dropped, unknown
bytes int Total count of bytes handled by this device/interface (bytes_in + bytes_out).
bytes_in int How many bytes this device/interface received.
bytes_out int How many bytes this device/interface transmitted.
channel string The 802.11 channel used by a wireless network.
dest string The destination of the network traffic (the remote host). May be aliased from more specific fields, such as dest_host, dest_ip, or dest_name.
dest_interface string The interface that is listening remotely or receiving packets locally. Can also be referred to as the "egress interface."
dest_mac string The destination TCP/IP layer 2 Media Access Control (MAC) address of a packet's destination.
dest_port int The destination port of the network traffic.

Note: Do not translate the values of this field to strings (tcp/80 is 80, not http). You can set up the corresponding string value in the dest_svc field.
dest_svc string The service indicated by the destination port of the network traffic, as translated from dest_port. For instance, if your dest_port value is 80, the corresponding dest_svc value is http.

Note: Always force lower case.
dest_tos int The hex bit that specifies TCP ToS or "type of service" (see http://en.wikipedia.org/wiki/Type_of_Service) for the event's destination. See also the tos field in this table. 0, 1, 2, 3, 4, 5, 6, or 7
dest_translated_ip string The NATed IPv4 or IPv6 address to which a packet has been sent.
dest_translated_port int The NATed port to which a packet has been sent.

Note: Do not translate the values of this field to strings (tcp/80 is 80, not http).
direction string The direction the packet is travelling. inbound, outbound, unknown
dvc string The device that reported the traffic event. May be aliased from more specific fields, such as dvc_host, dvc_ip, or dvc_name.
flow_id string Unique identifier for this traffic stream, such as a netflow, jflow, or cflow.
imcp_code string The RFC 2780 or RFC 4443 human-readable code value of the traffic, such as Destination Unreachable or Parameter Problem . See the IMCP Type Numbers and the IMCPv6 Type Numbers.
imcp_type int The RFC 2780 or RFC 4443 numeric value of the traffic. See the IMCP Type Numbers and the IMCPv6 Type Numbers. 0 to 254
ip_version int The numbered Internet Protocol version. Splunk 5 or better autodetects IPv4 vs IPv6, rendering this field unnecessary. 4, 6
packets int The total count of packets handled by this device/interface (packets_in + packets_out).
packets_in int The total count of packets received by this device/interface.
packets_out int The total count of packets transmitted by this device/interface.
product string The product name of the device generating the network event, such as SSG or ASA.
protocol string The OSI layer 3 (network) protocol of the traffic observed, in lower case. Can be used interchangably or field-aliased with protocol, as vendors do not always distinguish these layers as separate fields. ipv4, ipv6, icmp, ipsec, igmp, rip, unknown
rule string The rule which defines the action that was taken in the network event.

Note: This is a string value. Use a rule_id field for rule fields that are integer data types (rule_id fields are optional, so they are not included in this table).
session_id string The session identifier. Multiple transactions build a session.
src string The source of the network traffic (the client requesting the connection). May be aliased from more specific fields, such as src_host, src_ip, or src_name.
src_interface string The interface that is listening locally or sending packets remotely. Can also be referred to as the "ingress interface."
src_mac string The source TCP/IP layer 2 Media Access Control (MAC) address of a packet's destination.
src_port int The source port of the network traffic.

Note: Do not translate the values of this field to strings (tcp/80 is 80, not http). You can set up the corresponding string value in the src_svc field.
src_svc string The service indicated by the source port of the network traffic, as translated from src_port. For instance, if your src_port value is 80, the corresponding src_svc value is http.

Note: Always force lower case.
src_tos int The hex bit that specifies TCP ToS or "type of service" (see http://en.wikipedia.org/wiki/Type_of_Service) for the event's source. See also the tos field in this table. 0, 1, 2, 3, 4, 5, 6, or 7
src_translated_ip string The NATed IPv4 or IPv6 address from which a packet has been sent..
src_translated_port int The NATed port from which a packet has been sent.

Note: Do not translate the values of this field to strings (tcp/80 is 80, not http).
ssid string The 802.11 service set identifier (ssid) assigned to a wireless session.
tcp_flag string The TCP flag(s) specified in the event. Can be one or more of SYN, ACK, FIN, RST, URG, or PSH.
transport string The OSI layer 4 (transport) protocol of the traffic observed, in lower case. May be used interchangably or field-aliased with transport as vendors do not always distinguish these layers as separate fields. tcp, udp, unknown
tos string The combination of source and destination IP ToS (type of service) values in the event. See the entries for dest_tos and src_tos in this table.
ttl int The "time to live" of a packet or diagram.
user string The user that requested the traffic flow.
wifi_tech MV string The wireless standard(s) in use, such as 802.11a, 802.11b, 802.11g, or 802.11n.
vendor string The vendor technology of the device generating the network event, such as Juniper or Cisco.
vlan_id int The numeric identifier assigned to the virtual local area network (VLAN) specified in the record.
vlan_name string The name assigned to the virtual local area network (VLAN) specified in the record.

Performance

The fields in the Performance event category describe performance tracking data.

Tags used with the Performance event category:

Tag name Required?
cpu NO
memory NO
network NO
os NO
performance YES
storage NO

Fields for the Performance event category.

Field name Data type Description Possible values
cpu_load_mhz int The amount of CPU load reported by the controller in megahertz.
cpu_load_percent int The amount of CPU load reported by the controller in percentage points.
cpu_time int The number of CPU seconds consumed by processes.
dest string The system where the event occurred. May be aliased from more specific fields, such as dest_host, dest_ip, or dest_name.
fd_max int The maximum number of available file descriptors.
fd_used int The current number of open file descriptors.
latency int The latency reported by the resource, in milliseconds.
mem int The total amount of memory capacity reported by the resource, in megabytes.
mem_committed int The committed amount of memory reported by the resource, in megabytes.
mem_free int The free amount of memory reported by the resource, in megabytes.
mem_free_percent int The free amount of memory reported by the resource, in percentage points.
mem_used int The used amount of memory reported by the resource, in megabytes.
mount string The mount point of a storage resource.
power_state string The power state of the resource. on, off, suspended, unknown
storage int The total amount of storage capacity reported by the resource, in megabytes.
storage_free int The free amount of storage capacity reported by the resource, in megabytes.
storage_used int The used amount of storage capacity reported by the resource, in megabytes.
swap int The swap space size, in megabytes, if applicable.
swap_free int The free swap space size, in megabytes, if applicable.
swap_used int The used swap space size, in megabytes, if applicable.
sys_load int The amount of system load reported by the resource as a 5 minute average load value.
thruput int The current throughput reported by the service.
thruput_max int The maximum possible throughput reported by the service.
uptime int The uptime of the compute resource, in seconds.

Storage Fabric

The fields in the Storage Fabric event category describe common storage infrastructure components from any data source.

Tags used with the Storage Fabric event category:

Tag name Required?
storage YES

Fields for the Storage Fabric event category:

Field name Data type Description Possible values
array string The name of the array that the storage resource is a member of, if applicable.
blocksize int The block size used by the storage resource, in kilobytes.
cluster string The cluster that the storage resource is a member of, if applicable.
description string A description field provided in some data sources.
dest string The source of the event. May be aliased from more specific fields, such as dest_host, dest_ip, or dest_name.
filesystem string The filesystem of the storage resource.
location string A location indicator for the storage resource.
product string The product name of the storage resource, such as FAS6240.
product_version string The product version of the storage resource.
resource_type string The type of storage resource. array, cluster, controller, disk, local, network, physical, system, virtual, volume, unknown
serial string The serial number of the storage resource.
status string The current reported state of the storage resource. down, failed, health, unknown, up
vendor string The vendor of the storage resource, such as NetApp.

Web and Proxy

The fields in the Web and Proxy event category describe web server and/or proxy server data in a security or operational context.

Tags used with the Web and Proxy event category:

Tag name Required?
web YES
proxy NO

Fields for the Web and Proxy event category:

Field name Data type Description Possible values
app string The protocol of the traffic, such as HTTP, FTP, or HTTPS.
action string The action taken by the server or proxy. allowed, blocked, unknown
bytes int The total number of bytes transferred (bytes_in + bytes_out).
bytes_in int The number of inbound bytes transferred.
bytes_out int The number of outbound bytes transferred.
category string The category of the web event.
cookie string The cookie file recorded in the event.
dest string The destination of the network traffic (the remote host). May be aliased from more specific fields, such as dest_host, dest_ip, or dest_name.
duration int The time taken by the proxy event, in seconds.
http_content_type string The content-type of the requested HTTP resource.
http_method string The HTTP method used in the request. GET, POST, DELETE, and so on.
http_referrer string The HTTP referrer used in the request.
http_user_agent string The user agent used in the request.
product string The product name of the proxy server, such as SecureGateway, ISA, or Squid Proxy Server.
site string The virtual site which services the request, if applicable.
src string The source of the network traffic (the client requesting the connection).
status int The HTTP response code indicating the status of the proxy request. 404, 302, 500, and so on.
sub_status string The HTTP sub status of the request.
user string The user that requested the HTTP resource.
url string The URL of the requested HTTP resource.
uri_path string The URI path of the requested HTTP resource, without protocol, server, or file.
uri_query string The full query string in the request.
vendor string The vendor of the proxy server, such as Apache, BlueCoat, Microsoft, or Squid.

Updates

The fields in the Updates event category describe patch management events from individual systems or central management tools.

Tags used with the Updates event category:

Tag name Required?
update YES
status YES
system NO

Fields for the Updates event category:

Field name Data type Description Possible values
action string The action the taken by the patching service. deferred, failure, reboot_required, success, unknown
dest int The system that is affected by the patch change. May be aliased from more specific fields, such as dest_host, dest_ip, or dest_name.
dvc string The device that detected the patch event, such as a patching or configuration management server. May be aliased from more specific fields, such as dvc_host, dvc_ip, or dvc_name.
file_name string The name of the patch package that was installed or attempted.
file_hash string The checksum of the patch package that was installed or attempted.
product string The product name of the device that detected or initiated the change, such as IBM, Lumension, or Microsoft.
signature string The name of the patch requirement detected on the client (the dest), such as MS08-067 or RHBA-2013:0739.

Note: This is a string value. Please use signature_id for numeric indicators.
signature_id int The numeric ID of the intrusion detected on the client (the src).

Note: This is an integer value. Please use signature_id for human-readable signature names.
status string Indicates the status of a given patch requirement. available, installed, invalid, reboot_required, unknown
vendor string The vendor of the patch monitoring product, such as TEM, Patchlink, or SCCM.

Vulnerability

The fields in the Vulnerability event category describe vulnerability detection data.

Tags used with the Vulnerability event category:

Tag name Required?
report YES
vulnerability YES

Fields for the Vulnerability event category:

Field name Data type Description Possible values
app string The application with the detected vulnerability, such as LoadRunner.
bugtraq string Corresponds to an identifier in the publicly available Bugtraq vulnerability database (searchable at http://www.securityfocus.com/bid/).
category string The category of the discovered vulnerability, such as DoS.

Note: This field is a string. Please use a category_id field for fields that are integer data type. Keep in mind that the category_id field is optional and thus is not part of the CIM.
cert string Corresponds to an identifier in the vulnerability database provided by the US Computer Emergency Readiness Team (US-CERT, searchable at http://www.kb.cert.org/vuls/).
cve string Corresponds to an identifier provided in the Common Vulnerabilities and Exposures index (searchable at http://cve.mitre.org).
dest string The host with the discovered vulnerability. May be aliased from more specific fields, such as dest_host, dest_ip, or dest_name.
msft string Corresponds to a Microsoft Security Advisory number (http://technet.microsoft.com/en-us/security/advisory/).
mskb string Corresponds to a Microsoft Knowledge Base article number (http://support.microsoft.com/kb/).
os string The operating system of the host containing the vulnerability, such as Windows.
os_version string The version of the operating system of the host with the vulnerability, such as 2008r2.
severity string The severity of the vulnerability detection event. Specific values are required. Use vendor_severity for the vendor's own human readable strings (such as Good, Bad, and Really Bad).

Note: This field is a string. Please use a severity_id field for severity ID fields that are integer data types. Keep in mind that the severity_id field is optional and thus is not part of the CIM.
critical, high, informational, low, medium, unknown
signature string The name of the vulnerability detected on the host, such as HPSBMU02785 SSRT100526 rev.2 - HP LoadRunner Running on Windows, Remote Execution of Arbitrary Code, Denial of Service (DoS).

Note: This field has a string value. Please use signature_id for numeric indicators. Keep in mind that the signature_id field is optional and thus is not part of the CIM.
xref string A cross-reference identifier associated with the vulnerability. In most cases, the xref field contains both the short name of the database being cross-referenced and the unique identifier used in the external database.
PREVIOUS
Develop naming conventions for knowledge objects
  NEXT
Manage knowledge object permissions

This documentation applies to the following versions of Splunk® Enterprise: 5.0, 5.0.1, 5.0.2, 5.0.3, 5.0.4, 5.0.5, 5.0.6, 5.0.7, 5.0.8, 5.0.9, 5.0.10, 5.0.11, 5.0.12, 5.0.13, 5.0.14, 5.0.15, 5.0.16, 5.0.17, 5.0.18


Comments

Yet another good catch from POtemkin...docs have been duly updated!

Mness, Splunker
May 30, 2013

What is the difference between 'http_method' and 'status' field in the proxy table?

P0temkin
May 30, 2013

In the Cisco PIX example, the CIM compliant version lists "icmp_type=8 icmp_code=0 proto=icmp" which doesnt seem to be correct. Shouldnt 'proto' be replaced by 'protocol'? And Im unable to find any other references to icmp_type and icmp_code in this article.

P0temkin
March 11, 2013

isn't the 'DNS protocol' still listed twice? With different fields?

P0temkin
January 20, 2013

Thanks for the updates

P0temkin
January 19, 2013

Thanks P0temkin - We've fixed all of the issues you called out. Turns out the "isdr" field in the "Endpoint protection" section was both a typo (should be "isdir") and obsolete--that section has now been updated with a bunch of new fields. Check it out if you're interested.

Mness, Splunker
January 17, 2013

(continued from last comment)<br /><br />In this way, "isdir=True" corresponds to an event with an extracted field of "object_path" but a null value for "object", indicating that the object was a directory. In the ES/PCI apps, we also prescribe certain values for object_category to make this simpler; object_category can take on one of the following values:<br /><br /> directory<br /> file<br /> registry<br /> unknown<br /><br />We then set "object_category" via automatic field extractions. It is actually not necessary to maintain an "isdir" Boolean since we've placed this knowledge in a field that has categorical values.<br /><br />However, I believe the audittrail and fs_notification source types may still create events with a key-value pair "isdir=" in the raw event, meaning that an "isdir" field might be extracted automatically and might still be present in your events. While you can use the "isdir" field directly, for conformance to the CIM the normalized field names are preferred.<br /><br />We'll get the docs updated ASAP.

Jervin splunk, Splunker
January 17, 2013

Re: the "Change analysis - Endpoint protection" values - it appears that this document is actually out of date. The Endpoint Change model has been updated to be more generic; the correct fields are listed at this URL which I would use in the meantime until we get this rectified:<br /><br />http://docs.splunk.com/Documentation/Splunk/4.3.5/Knowledge/UnderstandandusetheCommonInformationModel<br /><br />The field "isdr" in the incorrect docs must be a typo intended to be "isdir". However, we deprecated that in the updates to the Endpoint Change model in favor of these more generic fields:<br /><br /> Field Type Description<br /> object_path string Full path to object<br /> object string Name of affect object<br /> object_category string Generic name for the class of the changed object.<br /> <br />This classification allows us to handle pretty much any "change" that might occur on an endpoint (comment continues below).

Jervin splunk, Splunker
January 17, 2013

"Change analysis - Endpoint protection"<br />'isdr' as Boolean, Y/N as possible values?<br /><br />"Common event fields"<br />Duplicate 'desc' field<br /><br />"Intrusion detection"<br />s/Providentia/Proventia/g<br /><br />"Standardize your event type tags"<br />The three tags in discussion here are:<br />2?

P0temkin
January 17, 2013

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters