Application State
The fields and tags in the Application State data model and event category describe service or process inventory and state, such as Unix daemons, Windows services, running processes on any OS, or similar systems.
Tags used with the Application State event category
Object name(s) | Tag name | Required? |
---|---|---|
All_Application_State
Ports |
listening | YES |
port | YES | |
All_Application_State
Processes |
process | YES |
report | YES | |
All_Application_State
Services |
service | YES |
report | YES |
Fields for the Application State event category
Object name(s) | Field name | Data type | Description | Expected values |
---|---|---|---|---|
All_Application_State | dest
|
string | The compute resource where the service is installed. May be aliased from more specific fields, such as dest_host , dest_ip , or dest_name .
|
|
All_Application_State | dest_bunit
|
string | These are derived fields provided by Asset and Identity correlation features of certain advanced applications like the Splunk App for Enterprise Security. They should be left blank when writing add-ons. | |
All_Application_State | dest_category
|
string | ||
All_Application_State | dest_requires_av
|
boolean | ||
All_Application_State | dest_should_timesync
|
boolean | ||
All_Application_State | dest_should_update
|
boolean | ||
All_Application_State | process
|
string | The name of a process or service file, such as sqlsrvr.exe or httpd .Note: This field is not appropriate for service or daemon names, such as SQL Server or Apache Web Server . Service or daemon names belong to the service field (see below). Also, note that this field is a string. Please use a process_id field for process ID fields that are integer data types.
|
|
All_Application_State | process_id
|
int | A numeric indicator (PID) for a process. Note: This field is an integer. Please use the process field for process names.
|
|
All_Application_State | tag
|
string | This automatically generated field is used to access tags from within datamodels. Add-on builders do not need to populate it. | |
All_Application_State | user
|
string | The user account the service is running as, such as System or httpdsvc .
|
|
All_Application_State | user_bunit
|
string | These are derived fields provided by Asset and Identity correlation features of certain advanced applications like the Splunk App for Enterprise Security. They should be left blank when writing add-ons. | |
All_Application_State | user_category
|
string | ||
Ports | dest_port
|
MV number | Network ports communicated to by the process, such as 53. | |
Ports | transport
|
MV string | The network ports listened to by the application process, such as tcp, udp, etc. | |
Ports | transport_dest_port
|
MV string | Calculated as transport/dest_port, such as tcp/53. | |
Processes | cpu_load_mhz
|
number | CPU Load in megahertz | |
Processes | cpu_load_percent
|
number | CPU Load in percent | |
Processes | cpu_time
|
string | CPU Time | |
Processes | mem_used
|
number | Memory used in bytes | |
Services | service
|
string | The name of the service, such as SQL Server or Apache Web Server .Note: This field is not appropriate for filenames, such as sqlsrvr.exe or httpd . Filenames should belong to the process field instead. Also, note that field is a string. Please use the service_id field for service ID fields that are integer data types.
|
|
Services | service_id
|
int | A numeric indicator for a service. Note: This field is an integer. Please use the service field for service names.
|
|
Services | start_mode
|
string | The start mode for the service. | disabled , enabled , auto .
|
Services | status
|
string | The status of the service. | critical , started , stopped , warning
|
Alerts | Authentication |
This documentation applies to the following versions of Splunk® Common Information Model Add-on: 3.0, 3.0.1, 3.0.2
Feedback submitted, thanks!