This documentation does not apply to the most recent version of Splunk® Common Information Model Add-on.
For documentation on the most recent version, go to the latest release.
Network Sessions
The fields in the Network Sessions data model describe DHCP and DNS traffic (whether server:server or client:server) and network infrastructure inventory and topology.
Tags used with Network Session event objects
| Object name | Tag name |
|---|---|
| All_Sessions | network |
| session | |
|
start |
|
end |
|
dhcp |
|
vpn |
Fields for Network Sessions event objects
| Object name | Field name | Data type | Description | Possible values |
|---|---|---|---|---|
| All_Sessions | action
|
string | The action taken by the reporting device. | added, blocked, unknown
|
| All_Sessions | dest_ip
|
string | The IP address of the system reporting a network session event. If the system is a Dynamic Host Configuration Protocol (DHCP) server, this is the lease IP for that server. This field is automatically provided by Asset and Identity correlation features of applications like the Splunk App for Enterprise Security. |
|
| All_Sessions | dest_mac
|
string | The MAC address of the system reporting a network session event. This field is automatically provided by Asset and Identity correlation features of applications like the Splunk App for Enterprise Security. |
|
| All_Sessions | dest_nt_host
|
string | The name of the Active Directory for the system reporting a network session event, if applicable. This field is automatically provided by Asset and Identity correlation features of applications like the Splunk App for Enterprise Security. |
|
| All_Sessions | dest_dns
|
string | The domain name server for the system reporting a network session event. This field is automatically provided by Asset and Identity correlation features of applications like the Splunk App for Enterprise Security. |
|
| All_Sessions | signature
|
string | An indication of the type of network session event. | |
| All_Sessions | src_dns
|
string | The domain name server of the originator of a Dynamic Host Configuration Protocol (DHCP) or DNS event . This field is automatically provided by Asset and Identity correlation features of applications like the Splunk App for Enterprise Security. |
|
| All_Sessions | src_ip
|
string | The IP address of the originator of a Dynamic Host Configuration Protocol (DHCP) or DNS event. This field is automatically provided by Asset and Identity correlation features of applications like the Splunk App for Enterprise Security. |
|
| All_Sessions | src_mac
|
string | The MAC address of the originator of a Dynamic Host Configuration Protocol (DHCP) or DNS event . This field is automatically provided by Asset and Identity correlation features of applications like the Splunk App for Enterprise Security. |
|
| All_Sessions | src_nt_host
|
string | The Active Directory name of the originator of a Dynamic Host Configuration Protocol (DHCP) or DNS event . This field is automatically provided by Asset and Identity correlation features of applications like the Splunk App for Enterprise Security. |
|
| All_Sessions | tag
|
string | This automatically generated field is used to access tags from within datamodels. Add-on builders do not need to populate it. | |
| All_Sessions | user
|
string | The user in a network session event, where applicable. For instance, a VPN session or an authenticated DHCP event. | |
| All_Sessions | vendor_product
|
string | The full name of the Dynamic Host Configuration Protocol (DHCP) or DNS server involved in this event including vendor and product name, such as Microsoft DHCP or ISC BIND. This field is generated by combining the values of the vendor and product fields.
|
|
| DHCP | lease_duration
|
number | The duration of the Dynamic Host Configuration Protocol (DHCP) lease, in seconds. | |
| DHCP | lease_scope
|
string | The consecutive range of possible IP addresses that the Dynamic Host Configuration Protocol (DHCP) server can lease to clients on a subnet. A lease_scope typically defines a single physical subnet on your network to which DHCP services are offered.
|
Last modified on 12 November, 2014
| Malware | Network Traffic |
This documentation applies to the following versions of Splunk® Common Information Model Add-on: 4.0.0
Download manual
Feedback submitted, thanks!