This documentation does not apply to the most recent version of Splunk® Common Information Model Add-on.
For documentation on the most recent version, go to the latest release.
Inventory
The fields and tags in the Inventory data model and event category describe common computer infrastructure components from any data source, along with network infrastructure inventory and topology.
Tags used with the Inventory event category
| Object name(s) | Tag name | Required? |
|---|---|---|
| All_Inventory | inventory | YES |
| All_Inventory CPU |
cpu | YES |
| All_Inventory Memory |
memory | YES |
| All_Inventory Network |
network | YES |
| All_Inventory Network |
resource | YES |
| All_Inventory OS |
os | YES |
| All_Inventory User |
user | YES |
| All_Inventory Virtual_OS |
virtual | YES |
| All_Inventory Virtual_OS SnapShot |
snapshot | YES |
| All_Inventory Virtual_OS Tools |
tools | YES |
Fields for the Inventory event category
| Object name(s) | Field name | Data type | Description | Expected values |
|---|---|---|---|---|
| All_Inventory | description
|
string | A description field provided in some data sources. | |
| All_Inventory | dest
|
string | The system where the data originated, the source of the event. May be aliased from more specific fields, such as dest_host, dest_ip, or dest_name.
|
|
| All_Inventory | dest_bunit
|
string | These are derived fields provided by Asset and Identity correlation features of certain advanced applications like the Splunk App for Enterprise Security. They should be left blank when writing add-ons. | |
| All_Inventory | dest_category
|
string | ||
| All_Inventory | enabled
|
string | boolean | |
| All_Inventory | family
|
string | The product family of the resource, such as 686_64 or RISC.
|
|
| All_Inventory | hypervisor_id
|
string | The hypervisor identifier, if applicable. | |
| All_Inventory | product
|
string | The resource product name, such as DL 380. Note: Many Apps will merge vendor and product into a single vendor_product field; this may be prepopulated from the data. In addition, the vendor, product, and version fields can be combined to create the os field.
|
|
| All_Inventory | product_version
|
string | The resource product version, such as G8.
|
|
| All_Inventory | serial
|
string | The serial number of the resource. | |
| All_Inventory | status
|
string | The current reported state of the resource | |
| All_Inventory | tag
|
string | This automatically generated field is used to access tags from within datamodels. Add-on builders do not need to populate it. | |
| All_Inventory | vendor
|
string | The vendor of the resource, such as HP.Note: Many Apps will merge vendor and product into a single vendor_product field. This may be populated from the data. In addition, the vendor, product, and version fields can be combined to create the os field.
|
|
| All_Inventory | version
|
string | The version of a computer resource, such as 2008r2 or 3.0.0.
|
|
| CPU | cpu_cores
|
int | The number of CPU cores reported by the resource (total, not per CPU). | |
| CPU | cpu_count
|
int | The number of CPUs reported by the resource. | |
| CPU | cpu_mhz
|
int | The maximum speed of the CPU reported by the resource (in megahertz). | |
| CPU | cpu_vendor
|
string | The product vendor of the CPU reported by the resource. | |
| CPU | resource_type
|
string | The computer resource's type. | array, disk, cluster, network, physical, rpool, system, virtual, vm, unknown
|
| Memory | mem
|
int | The total amount of memory installed in or allocated to the resource, in megabytes. | |
| Network | dns
|
string | Domain name server | |
| Network | interface
|
MV string | The network interfaces of the computing resource, such as eth0, eth1 or Wired Ethernet Connection, Teredo Tunneling Pseudo-Interface.
|
|
| Network | ip
|
MV string | The network addresses of the computing resource, such as 192.168.1.1 and E80:0000:0000:0000:0202:B3FF:FE1E:8329.
|
|
| Network | mac
|
MV string | A MAC (media access control) address associated with the resource, such as 06:10:9f:eb:8f:14. Note: Always force lower case on this field. Note: Always use colons instead of dashes, spaces, or no separator.
|
|
| Network | name
|
string | A name field provided in some data sources. | |
| OS | os
|
string | The operating system of the resource, such as Microsoft Windows Server 2008r2. Should be constructed from vendor, product, and version fields.
|
|
| Snapshot | size
|
int | The snapshot file size, in megabytes. | |
| Snapshot | snapshot
|
string | The name of a snapshot file. | |
| Snapshot | time
|
string | The time at which the snapshot was taken. | |
| Storage | array
|
string | The array that the storage resource is a member of, if applicable | |
| Storage | blocksize
|
int | Block size used by the storage resource, in kilobytes. | |
| Storage | cluster
|
string | The cluster that the resource is a member of, if applicable. | |
| Storage | fd_max
|
int | The maximum number of file descriptors available | |
| Storage | latency
|
int | The latency reported by the resource, in milliseconds. | |
| Storage | mount
|
string | The path at which a storage resource is mounted. | |
| Storage | parent
|
string | A higher level object that this resource is owned by, if applicable. | |
| Storage | read_blocks
|
int | Ideal specification for the resource's performance, if applicable. | |
| Storage | read_latency
|
int | Ideal specification for the resource's performance, if applicable. | |
| Storage | read_ops
|
int | Ideal specification for the resource's performance, if applicable. | |
| Storage | storage
|
int | The amount of storage capacity allocated to the resource, in megabytes. | |
| Storage | write_blocks
|
int | Ideal specification for the resource's performance, if applicable. | |
| Storage | write_latency
|
int | Ideal specification for the resource's performance, if applicable. | |
| Storage | write_ops
|
int | Ideal specification for the resource's performance, if applicable. | |
| User | interactive
|
boolean | Indicates if a locally defined account on a resource can be interactively logged in. | |
| User | password
|
string | Indicates if a locally defined account has a stored password (for instance, an Add-on may report the password column from /etc/passwd in this field).
|
|
| User | shell
|
string | Indicates the shell program used by a locally defined account. | |
| User | user
|
string | The full name of a locally defined account. | |
| User | user_id
|
string | The username of a locally defined account. | |
| User | user_bunit
|
string | These are derived fields provided by Asset and Identity correlation features of certain advanced applications like the Splunk App for Enterprise Security. They should be left blank when writing add-ons. | |
| User | user_category
|
string | ||
| Virtual_OS | hypervisor
|
string | The hypervisor parent of a virtual guest OS. | |
Last modified on 04 June, 2014
| Change Analysis | Intrusion Detection |
This documentation applies to the following versions of Splunk® Common Information Model Add-on: 3.0, 3.0.1, 3.0.2
Download manual
Feedback submitted, thanks!