This documentation does not apply to the most recent version of Splunk® Common Information Model Add-on.
For documentation on the most recent version, go to the latest release.
Network Sessions
The fields in the Network Sessions data model and event categories describe DHCP and DNS traffic (whether server:server or client:server) and network infrastructure inventory and topology.
Tags used with the Network Session event category
| Object name(s) | Tag name | Required? |
|---|---|---|
| All_Sessions | network | YES |
| All_Sessions | session | YES |
| Session_Start | start | YES |
| Session_End | end | YES |
| DHCP | dhcp | YES |
| VPN | vpn | YES |
Fields for the Network Sessions event category
| Object name(s) | Field name | Data type | Description | Possible values |
|---|---|---|---|---|
| All_Sessions | action
|
string | The action taken by the reporting device. | added, blocked, unknown
|
dest
|
string | The system reporting a network session event, such as a DHCP lease or VPN sign-in. May be aliased from more specific fields, such as dest_mac, dest_host, dest_ip, or dest_name.
| ||
| All_Sessions | dest_ip
|
string | These are derived fields provided by Asset and Identity correlation features of certain advanced applications like the Splunk App for Enterprise Security. They should be left blank when writing add-ons. | |
| All_Sessions | dest_mac
|
string | ||
| All_Sessions | dest_nt_host
|
string | ||
| All_Sessions | dest_dns
|
string | ||
| All_Sessions | product
|
string | The DHCP or DNS server product name, such as MS-DHCP or BIND. This field is used to automatically produce the vendor_product field used by data models.
|
|
| All_Sessions | signature
|
string | An indication of the type of network session event. | |
src
|
string | The system delivering a network session event, such as a DHCP lease or VPN sign-in. May be aliased from more specific fields, such as src_mac, src_host, src_ip, or src_name.
| ||
| All_Sessions | src_ip
|
string | These are derived fields provided by Asset and Identity correlation features of certain advanced applications like the Splunk App for Enterprise Security. They should be left blank when writing add-ons. | |
| All_Sessions | src_mac
|
string | ||
| All_Sessions | src_nt_host
|
string | ||
| All_Sessions | src_dns
|
string | ||
| All_Sessions | tag
|
string | This automatically generated field is used to access tags from within datamodels. Add-on builders do not need to populate it. | |
| All_Sessions | user
|
string | The user in a network session event, where applicable. For instance, a VPN session or an authenticated DHCP event. | |
| All_Sessions | vendor
|
string | The DHCP or DNS server vendor name, such as ISC or ISC. This field is used to automatically produce the vendor_product field used by data models.
|
|
Last modified on 25 March, 2014
| Malware | Network Traffic |
This documentation applies to the following versions of Splunk® Common Information Model Add-on: 3.0, 3.0.1, 3.0.2
Download manual
Feedback submitted, thanks!