Splunk® Common Information Model Add-on

Common Information Model Add-on Manual

Acrobat logo Download manual as PDF


This documentation does not apply to the most recent version of Splunk® Common Information Model Add-on. For documentation on the most recent version, go to the latest release.
Acrobat logo Download topic as PDF

Network Sessions

The fields in the Network Sessions data model and event categories describe DHCP and DNS traffic (whether server:server or client:server) and network infrastructure inventory and topology.

Tags used with the Network Session event category

Object name(s) Tag name Required?
All_Sessions network YES
All_Sessions session YES
Session_Start start YES
Session_End end YES
DHCP dhcp YES
VPN vpn YES

Fields for the Network Sessions event category

Object name(s) Field name Data type Description Possible values
All_Sessions action string The action taken by the reporting device. added, blocked, unknown
dest string The system reporting a network session event, such as a DHCP lease or VPN sign-in. May be aliased from more specific fields, such as dest_mac, dest_host, dest_ip, or dest_name.
All_Sessions dest_ip string These are derived fields provided by Asset and Identity correlation features of certain advanced applications like the Splunk App for Enterprise Security. They should be left blank when writing add-ons.
All_Sessions dest_mac string
All_Sessions dest_nt_host string
All_Sessions dest_dns string
All_Sessions product string The DHCP or DNS server product name, such as MS-DHCP or BIND. This field is used to automatically produce the vendor_product field used by data models.
All_Sessions signature string An indication of the type of network session event.
src string The system delivering a network session event, such as a DHCP lease or VPN sign-in. May be aliased from more specific fields, such as src_mac, src_host, src_ip, or src_name.
All_Sessions src_ip string These are derived fields provided by Asset and Identity correlation features of certain advanced applications like the Splunk App for Enterprise Security. They should be left blank when writing add-ons.
All_Sessions src_mac string
All_Sessions src_nt_host string
All_Sessions src_dns string
All_Sessions tag string This automatically generated field is used to access tags from within datamodels. Add-on builders do not need to populate it.
All_Sessions user string The user in a network session event, where applicable. For instance, a VPN session or an authenticated DHCP event.
All_Sessions vendor string The DHCP or DNS server vendor name, such as ISC or ISC. This field is used to automatically produce the vendor_product field used by data models.
Last modified on 25 March, 2014
PREVIOUS
Malware 		  NEXT
Network Traffic

This documentation applies to the following versions of Splunk® Common Information Model Add-on: 3.0, 3.0.1, 3.0.2

Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters