Splunk® Common Information Model Add-on

Common Information Model Add-on Manual

This documentation does not apply to the most recent version of Splunk® Common Information Model Add-on. For documentation on the most recent version, go to the latest release.

Inventory

The fields and tags in the Inventory data model and event category describe common computer infrastructure components from any data source, along with network infrastructure inventory and topology.

Tags used with the Inventory event category

Object name(s) Tag name Required?
All_Inventory inventory YES
All_Inventory
CPU
cpu YES
All_Inventory
Memory
memory YES
All_Inventory
Network
network YES
All_Inventory
Network
resource YES
All_Inventory
OS
os YES
All_Inventory
User
user YES
All_Inventory
Virtual_OS
virtual YES
All_Inventory
Virtual_OS
SnapShot
snapshot YES
All_Inventory
Virtual_OS
Tools
tools YES

Fields for the Inventory event category

Object name(s) Field name Data type Description Expected values
All_Inventory description string A description field provided in some data sources.
All_Inventory dest string The system where the data originated, the source of the event. May be aliased from more specific fields, such as dest_host, dest_ip, or dest_name.
All_Inventory dest_bunit string These are derived fields provided by Asset and Identity correlation features of certain advanced applications like the Splunk App for Enterprise Security. They should be left blank when writing add-ons.
All_Inventory dest_category string
All_Inventory enabled string boolean
All_Inventory family string The product family of the resource, such as 686_64 or RISC.
All_Inventory hypervisor_id string The hypervisor identifier, if applicable.
All_Inventory product string The resource product name, such as DL 380.

Note: Many Apps will merge vendor and product into a single vendor_product field; this may be prepopulated from the data. In addition, the vendor, product, and version fields can be combined to create the os field.
All_Inventory product_version string The resource product version, such as G8.
All_Inventory serial string The serial number of the resource.
All_Inventory status string The current reported state of the resource
All_Inventory tag string This automatically generated field is used to access tags from within datamodels. Add-on builders do not need to populate it.
All_Inventory vendor string The vendor of the resource, such as HP.

Note: Many Apps will merge vendor and product into a single vendor_product field. This may be populated from the data. In addition, the vendor, product, and version fields can be combined to create the os field.
All_Inventory version string The version of a computer resource, such as 2008r2 or 3.0.0.
CPU cpu_cores int The number of CPU cores reported by the resource (total, not per CPU).
CPU cpu_count int The number of CPUs reported by the resource.
CPU cpu_mhz int The maximum speed of the CPU reported by the resource (in megahertz).
CPU cpu_vendor string The product vendor of the CPU reported by the resource.
CPU resource_type string The computer resource's type. array, disk, cluster, network, physical, rpool, system, virtual, vm, unknown
Memory mem int The total amount of memory installed in or allocated to the resource, in megabytes.
Network dns string Domain name server
Network interface MV string The network interfaces of the computing resource, such as eth0, eth1 or Wired Ethernet Connection, Teredo Tunneling Pseudo-Interface.
Network ip MV string The network addresses of the computing resource, such as 192.168.1.1 and E80:0000:0000:0000:0202:B3FF:FE1E:8329.
Network mac MV string A MAC (media access control) address associated with the resource, such as 06:10:9f:eb:8f:14. Note: Always force lower case on this field. Note: Always use colons instead of dashes, spaces, or no separator.
Network name string A name field provided in some data sources.
OS os string The operating system of the resource, such as Microsoft Windows Server 2008r2. Should be constructed from vendor, product, and version fields.
Snapshot size int The snapshot file size, in megabytes.
Snapshot snapshot string The name of a snapshot file.
Snapshot time string The time at which the snapshot was taken.
Storage array string The array that the storage resource is a member of, if applicable
Storage blocksize int Block size used by the storage resource, in kilobytes.
Storage cluster string The cluster that the resource is a member of, if applicable.
Storage fd_max int The maximum number of file descriptors available
Storage latency int The latency reported by the resource, in milliseconds.
Storage mount string The path at which a storage resource is mounted.
Storage parent string A higher level object that this resource is owned by, if applicable.
Storage read_blocks int Ideal specification for the resource's performance, if applicable.
Storage read_latency int Ideal specification for the resource's performance, if applicable.
Storage read_ops int Ideal specification for the resource's performance, if applicable.
Storage storage int The amount of storage capacity allocated to the resource, in megabytes.
Storage write_blocks int Ideal specification for the resource's performance, if applicable.
Storage write_latency int Ideal specification for the resource's performance, if applicable.
Storage write_ops int Ideal specification for the resource's performance, if applicable.
User interactive boolean Indicates if a locally defined account on a resource can be interactively logged in.
User password string Indicates if a locally defined account has a stored password (for instance, an Add-on may report the password column from /etc/passwd in this field).
User shell string Indicates the shell program used by a locally defined account.
User user string The full name of a locally defined account.
User user_id string The username of a locally defined account.
User user_bunit string These are derived fields provided by Asset and Identity correlation features of certain advanced applications like the Splunk App for Enterprise Security. They should be left blank when writing add-ons.
User user_category string
Virtual_OS hypervisor string The hypervisor parent of a virtual guest OS.
Last modified on 04 June, 2014
Change Analysis   Intrusion Detection

This documentation applies to the following versions of Splunk® Common Information Model Add-on: 3.0, 3.0.1, 3.0.2


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters