This documentation does not apply to the most recent version of Splunk® Common Information Model Add-on.
For documentation on the most recent version, go to the latest release.
Application State
The fields and tags in the Application State data model describe service or process inventory and state, such as Unix daemons, Windows services, running processes on any OS, or similar systems.
Tags used with Application State event objects
The following tags act as constraints to identify your events as being relevant to this data model. For more information, see "How to use these reference tables."
| Object name | Tag name |
|---|---|
| All_Application_State | (listening, port) OR (process, report) OR (service, report) |
|
listening |
| port | |
|
process |
| report | |
|
service |
| report |
Fields for Application State event objects
The following table lists the extracted and calculated fields for the event objects in the model. Note that it does not include any inherited fields. For more information, see "How to use these reference tables."
| Object name | Field name | Data type | Description | Expected values |
|---|---|---|---|---|
| All_Application_State | dest
|
string | The compute resource where the service is installed. You can alias this from more specific fields, such as dest_host, dest_ip, or dest_name.
|
|
| All_Application_State | dest_bunit
|
string | These are derived fields provided by Asset and Identity correlation features of certain advanced applications like the Splunk App for Enterprise Security. They should be left blank when writing add-ons. | |
| All_Application_State | dest_category
|
string | ||
| All_Application_State | dest_priority
|
string | ||
| All_Application_State | dest_requires_av
|
boolean | ||
| All_Application_State | dest_should_timesync
|
boolean | ||
| All_Application_State | dest_should_update
|
boolean | ||
| All_Application_State | process
|
string | The name of a process or service file, such as sqlsrvr.exe or httpd.Note: This field is not appropriate for service or daemon names, such as SQL Server or Apache Web Server. Service or daemon names belong to the service field (see below).
|
|
| All_Application_State | process_id
|
string | A numeric indicator (PID) for a process. | |
| All_Application_State | tag
|
string | This automatically generated field is used to access tags from within data models. Add-on builders do not need to populate it. | |
| All_Application_State | user
|
string | The user account the service is running as, such as System or httpdsvc.
|
|
| All_Application_State | user_bunit
|
string | These are derived fields provided by Asset and Identity correlation features of certain advanced applications like the Splunk App for Enterprise Security. They should be left blank when writing add-ons. | |
| All_Application_State | user_category
|
string | ||
| All_Application_State | user_priority
|
string | ||
| Ports | dest_port
|
number | Network ports communicated to by the process, such as 53. | |
| Ports | transport
|
string | The network ports listened to by the application process, such as tcp, udp, etc. | |
| Ports | transport_dest_port
|
string | Calculated as transport/dest_port, such as tcp/53. | |
| Processes | cpu_load_mhz
|
number | CPU Load in megahertz | |
| Processes | cpu_load_percent
|
number | CPU Load in percent | |
| Processes | cpu_time
|
string | CPU Time | |
| Processes | mem_used
|
number | Memory used in bytes | |
| Services | service
|
string | The name of the service, such as SQL Server or Apache Web Server.Note: This field is not appropriate for filenames, such as sqlsrvr.exe or httpd. Filenames should belong to the process field instead. Also, note that field is a string. Please use the service_id field for service ID fields that are integer data types.
|
|
| Services | service_id
|
string | A numeric indicator for a service. | |
| Services | start_mode
|
string | The start mode for the service. | disabled, enabled, auto.
|
| Services | status
|
string | The status of the service. | critical, started, stopped, warning
|
Last modified on 09 February, 2016
| Alerts | Authentication |
This documentation applies to the following versions of Splunk® Common Information Model Add-on: 4.0.0, 4.1.0, 4.1.1
Download manual
Feedback submitted, thanks!