Related Answers
This documentation does not apply to the most recent version of Splunk® Common Information Model Add-on.
For documentation on the most recent version, go to the latest release.
Download topic as PDF
Updates
| This page is currently a work in progress. Any information presented here might be incomplete or incorrect, and frequent near-term updates are expected. |
The fields in the Updates data model and event category describe patch management events from individual systems or central management tools.
Tags used with the Updates data model and event category
| Object name(s) | Tag name | Required? |
|---|---|---|
| Updates | update | YES |
| Updates | status | YES |
| system | NO |
Fields for the Updates event category
| Object name(s) | Field name | Data type | Description | Possible values |
|---|---|---|---|---|
| Updates | dest
|
int | The system that is affected by the patch change. May be aliased from more specific fields, such as dest_host, dest_ip, or dest_name.
|
|
| Updates | dest_bunit
|
string | These are derived fields provided by Asset and Identity correlation features of certain advanced applications like the Splunk App for Enterprise Security. They should be left blank when writing add-ons. | |
| Updates | dest_category
|
string | ||
| Updates | dest_should_update
|
boolean | ||
| Updates | dvc
|
string | The device that detected the patch event, such as a patching or configuration management server. May be aliased from more specific fields, such as dvc_host, dvc_ip, or dvc_name.
|
|
| Updates | file_name
|
string | The name of the patch package that was installed or attempted. | |
| Updates | file_hash
|
string | The checksum of the patch package that was installed or attempted. | |
| Updates | product
|
string | The vendor product name of the device that detected or initiated the change, such as IBM, Lumension, or Microsoft. This field is used to automatically produce the vendor_product field used by data models.
|
|
| Updates | signature
|
string | The name of the patch requirement detected on the client (the dest), such as MS08-067 or RHBA-2013:0739.Note: This is a string value. Please use signature_id for numeric indicators.
|
|
| Updates | signature_id
|
int | The numeric ID of the intrusion detected on the client (the src). Note: This is an integer value. Please use signature_id for human-readable signature names.
|
|
| Updates | status
|
string | Indicates the status of a given patch requirement. | available, installed, invalid, reboot_required, unknown
|
| Updates | tag
|
string | This automatically generated field is used to access tags from within datamodels. Add-on builders do not need to populate it. | |
| Updates | vendor
|
string | The vendor of the patch monitoring product, such as TEM, Patchlink, or SCCM. This field is used to automatically produce the vendor_product field used by data models.
|
|
| Update_Errors | event_id
|
string | The patching event id that generated an error. | |
Last modified on 18 October, 2013
|
PREVIOUS Splunk Audit Logs |
NEXT Vulnerabilities |
This documentation applies to the following versions of Splunk® Common Information Model Add-on: 3.0, 3.0.1, 3.0.2
Feedback submitted, thanks!