Splunk® Common Information Model Add-on

Common Information Model Add-on Manual

Download manual as PDF

This documentation does not apply to the most recent version of CIM. Click here for the latest version.
Download topic as PDF

Performance

The fields in the Performance data model describe performance tracking data.

Tags used with Performance event objects

The following tags act as constraints to identify your events as being relevant to this data model. For more information, see "How to use these reference tables."

Object name Tag name
All_Performance performance
|____CPU
cpu
|____Facilities
facilities
|____Memory
memory
|____Storage
storage
|____Network
network
|____OS
os
|____Uptime
uptime
|____Timesync
time
synchronize

Fields for Performance event objects

The following table lists the extracted and calculated fields for the event objects in the model. The teble does not include any inherited fields. For more information, see "How to use these reference tables."

Object name Field name Data type Description Possible values
All_Performance dest string The system where the event occurred, usually a facilities resource such as a rack or room. You can alias this from more specific fields, such as dest_host, dest_ip, or dest_name.
All_Performance dest_bunit string The business unit of the system where the event occurred.

This field is automatically provided by Asset and Identity correlation features of applications like the Splunk App for Enterprise Security.
All_Performance dest_category string The category of the system where the event occurred.

This field is automatically provided by Asset and Identity correlation features of applications like the Splunk App for Enterprise Security.
All_Performance dest_priority string The priority of the system where the performance event occurred.
All_Performance dest_should_timesync boolean Indicates whether or not the system where the performance event occurred should time sync.

This field is automatically provided by Asset and Identity correlation features of applications like the Splunk App for Enterprise Security.
All_Performance dest_should_update boolean Indicates whether or not the system where the performance event occurred should update.

This field is automatically provided by Asset and Identity correlation features of applications like the Splunk App for Enterprise Security.
All_Performance hypervisor_id string The ID of the virtualization hypervisor.
All_Performance resource_type string The type of facilities resource involved in the performance event, such as a rack, room, or system.
All_Performance tag string A tag associated with the performance event.
CPU cpu_load_mhz number The amount of CPU load reported by the controller in megahertz.
CPU cpu_load_percent number The amount of CPU load reported by the controller in percentage points.
CPU cpu_time number The number of CPU seconds consumed by processes.
CPU cpu_user_percent number Percentage of CPU user time consumed by processes.
Facilities fan_speed number The speed of the cooling fan in the facilities resource, in rotations per second.
Facilities power number Amount of power consumed by the facilities resource, in Kw/h.
Facilities temperature number Average temperature of the facilities resource, in °C.
Memory mem number The total amount of memory capacity reported by the resource, in megabytes.
Memory mem_committed number The committed amount of memory reported by the resource, in megabytes.
Memory mem_free number The free amount of memory reported by the resource, in megabytes.
Memory mem_used number The used amount of memory reported by the resource, in megabytes.
Memory swap number The total swap space size, in megabytes, if applicable.
Memory swap_free number The free swap space size, in megabytes, if applicable.
Memory swap_used number The used swap space size, in megabytes, if applicable.
Storage array number The array that the resource is a member of, if applicable.
Storage blocksize number Block size used by the storage resource, in kilobytes.
Storage cluster string The cluster that the resource is a member of, if applicable.
Storage fd_max number The maximum number of available file descriptors.
Storage fd_used number The current number of open file descriptors.
Storage latency number The latency reported by the resource, in milliseconds.
Storage mount string The mount point of a storage resource.
Storage parent string A generic indicator of hierarchy. For instance, a disk event might include the array id here.
Storage read_blocks number Number of blocks read.
Storage read_latency number The latency of read operations, in milliseconds.
Storage read_ops number Number of read operations.
Storage storage number The total amount of storage capacity reported by the resource, in megabytes.
Storage storage_free number The free amount of storage capacity reported by the resource, in megabytes.
Storage storage_free_percent number The percentage of storage capacity reported by the resource that is free.
Storage storage_used number The used amount of storage capacity reported by the resource, in megabytes.
Storage storage_used_percent number The percentage of storage capacity reported by the resource that is used.
Storage write_blocks number The number of blocks written by the resource.
Storage write_latency number The latency of write operations, in milliseconds.
Storage write_ops number The total number of write operations processed by the resource.
Network thruput number The current throughput reported by the service, in bytes.
Network thruput_max number The maximum possible throughput reported by the service, in bytes.
OS signature string The event description signature, if available.
Timesync action string The result of a time sync event. success, failure, unknown
Uptime uptime number The uptime of the compute resource, in seconds.
PREVIOUS
Network Traffic
  NEXT
Splunk Audit Logs

This documentation applies to the following versions of Splunk® Common Information Model Add-on: 4.0.0, 4.1.0, 4.1.1, 4.2.0, 4.3.0, 4.3.1


Comments

Thanks, Helge! I have updated the page to reflect that the units for thruput and thruput_max are both bytes.

Rpille splunk
December 17, 2014

Some descriptions are lacking the unit, e.g. "thruput": is that bytes/second?

Helge
December 12, 2014

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters