This documentation does not apply to the most recent version of Splunk® Common Information Model Add-on.
For documentation on the most recent version, go to the latest release.
The fields and tags in the Email data model describe email traffic (whether server:server or client:server).
Tags used with Email event objects
| Object name | Tag name |
|---|---|
| All_Email | |
|
delivery |
|
content |
|
filter |
Fields for the Email event objects
| Object name | Field name | Data type | Description | Possible values |
|---|---|---|---|---|
action
|
string | Action taken by the reporting device. | delivered, blocked, quarantined, unknown
| |
delay
|
number | Total sending delay in seconds. | ||
dest
|
string | The endpoint system to which the message was delivered. May be aliased from more specific fields, such as dest_host, dest_ip, or dest_name.
|
||
dest_bunit
|
string | The business unit of the endpoint system to which the message was delivered. | ||
dest_category
|
string | The category of the endpoint system to which the message was delivered. | ||
dest_priority
|
string | The priority of the endpoint system to which the message was delivered. | ||
file_hash
|
string | The hash(es) for the file(s) attached to the message, if any exist. | ||
file_name
|
string | The name(s) of the file(s) attached to the message, if any exist. | ||
internal_message_id
|
string | Host-specific unique message identifier (such as aid in sendmail, IMI in Domino, Internal-Message-ID in Exchange, and MID in Ironport).
|
||
message_id
|
string | The globally-unique message identifier. | ||
message_info
|
string | Additional information about the message. | ||
orig_dest
|
string | The original destination host of the message. The message destination host can change when a message is relayed or bounced. | ||
orig_recipient
|
string | The original recipient of the message. The message recipient can change when the original email address is an alias and has to be resolved to the actual recipient. | ||
orig_src
|
string | The original source of the message. | ||
process
|
string | The name of the email executable that carries out the message transaction, such as sendmail, postfix, or the name of an email client.
|
||
process_id
|
number | The numeric identifier of the process that Splunk invokes in order to send the message. | ||
protocol
|
string | The email protocol involved, such as SMTP or RPC.
|
||
recipient
|
string | A field listing individual recipient email addresses, such as recipient="foo@splunk.com", recipient="bar@splunk.com".
|
||
recipient_count
|
number | The total number of intended message recipients. | ||
recipient_status
|
string | The recipient delivery status, if available. | ||
retries
|
number | The number of times that the message was automatically resent because it was bounced back, or a similar transmission error condition. | ||
return_addr
|
string | The return address for the message. | ||
size
|
number | The size of the message, in bytes. | ||
src
|
string | The system that sent the message. May be aliased from more specific fields, such as src_host, src_ip, or src_name.
|
||
src_bunit
|
string | The business unit of the system that sent the message. | ||
src_category
|
string | The category of the system that sent the message. | ||
src_priority
|
string | The priority of the system that sent the message. | ||
src_user
|
string | The email address of the message sender. | ||
src_user_bunit
|
string | The business unit of the message sender. | ||
src_user_category
|
string | The category of the message sender. | ||
src_user_priority
|
string | The priority of the message sender. | ||
status_code
|
string | The status code associated with the message. | ||
subject
|
string | The subject of the message. | ||
tag
|
string | The tag(s) associated with the message, if any exist. | ||
url
|
string | The URL associated with the message, if any. | ||
user
|
string | The user context for the process. This is not the email address for the sender. For that, look at the src_user field.
|
||
user_bunit
|
string | The business unit of the user context for the process.
|
||
user_category
|
string | The category of the user context for the process.
|
||
user_priority
|
string | The priority of the user context for the process.
|
||
vendor_product
|
string | The full name of the email server used for the email transaction. | ||
xdelay
|
string | Extended delay information for the message transaction. May contain details of all the delays from all the servers in the message transmission chain. | ||
xref
|
string | An external reference. Can contain message IDs or recipient addresses from related messages. |
Last modified on 12 November, 2014
| Databases | Interprocess Messaging |
This documentation applies to the following versions of Splunk® Common Information Model Add-on: 4.0.0
Download manual
Feedback submitted, thanks!