This documentation does not apply to the most recent version of Splunk® Common Information Model Add-on.
For documentation on the most recent version, go to the latest release.
Splunk Audit Logs
| This page is currently a work in progress. Any information presented here might be incomplete or incorrect, and frequent near-term updates are expected. |
The fields and tags in the Splunk Audit Logs data model and event category describe audit information for systems producing event logs.
Tags and constraints used with the Splunk Audit Logs data model and event category
| Object name(s) | Constraint | Required? |
|---|---|---|
| View_Activity | index=_internal sourcetype=splunk_web_access method=GET status=200 | YES |
| Datamodel_Acceleration | | datamodelinfo | YES |
| Search_Activity | `search_activity` | YES |
| Web_Service_Errors | index=_internal sourcetype=splunk_web_service tag=error | YES |
Fields for the Splunk Audit Logs data model and event category
| Object name(s) | Field name | Data type | Description | Expected values |
|---|---|---|---|---|
| Datamodel_Acceleration | access_count
|
int | ||
| Datamodel_Acceleration | access_time
|
timestamp | ||
| Datamodel_Acceleration | app
|
string | ||
| Datamodel_Acceleration | buckets
|
string | ||
| Datamodel_Acceleration | bucket_size
|
string | ||
| Datamodel_Acceleration | cron
|
string | ||
| Datamodel_Acceleration | complete
|
string | ||
| Datamodel_Acceleration | datamodel
|
string | ||
| Datamodel_Acceleration | digest
|
string | ||
| Datamodel_Acceleration | earliest
|
timestamp | ||
| Datamodel_Acceleration | is_inprogress
|
boolean | ||
| Datamodel_Acceleration | last_error
|
string | ||
| Datamodel_Acceleration | last_sid
|
string | ||
| Datamodel_Acceleration | latest
|
timestamp | ||
| Datamodel_Acceleration | mod_time
|
timestamp | ||
| Datamodel_Acceleration | retention
|
int | ||
| Datamodel_Acceleration | size
|
int | ||
| Datamodel_Acceleration | summary_id
|
string | ||
| Search_Activity | info
|
string | ||
| Search_Activity | search
|
string | ||
| Search_Activity | search_type
|
string | ||
| Search_Activity | user
|
string | ||
| View_Activity | app
|
string | ||
| View_Activity | user
|
string | ||
| View_Activity | view
|
string | ||
| Web_Service_Errors | event_id
|
string |
Last modified on 16 October, 2013
| Performance | Updates |
This documentation applies to the following versions of Splunk® Common Information Model Add-on: 3.0, 3.0.1, 3.0.2
Download manual
Feedback submitted, thanks!