This documentation does not apply to the most recent version of Splunk® Common Information Model Add-on.
For documentation on the most recent version, go to the latest release.
Web
The fields in the Web data model describe web server and/or proxy server data in a security or operational context.
Tags used with the Web event objects
| Object name | Tag name |
|---|---|
| Web | web |
|
proxy |
Fields for Web event objects
| Object name | Field name | Data type | Description | Possible values |
|---|---|---|---|---|
| Web | action
|
string | The action taken by the server or proxy. | |
| Web | app
|
string | The app recording the data, such as IIS, Squid, or Bluecoat. | |
| Web | bytes
|
number | The total number of bytes transferred (bytes_in + bytes_out).
|
|
| Web | bytes_in
|
number | The number of inbound bytes transferred. | |
| Web | bytes_out
|
number | The number of outbound bytes transferred. | |
| Web | category
|
string | The category of traffic, such as may be provided by a proxy server. | |
| Web | cookie
|
string | The cookie file recorded in the event. | |
| Web | dest
|
string | The destination of the network traffic (the remote host). May be aliased from more specific fields, such as dest_host, dest_ip, or dest_name.
|
|
| Web | dest_bunit
|
string | These are derived fields provided by Asset and Identity correlation features of certain advanced applications like the Splunk App for Enterprise Security. They should be left blank when writing add-ons. | |
| Web | dest_category
|
string | ||
| Web | dest_priority
|
string | ||
| Web | duration
|
number | The time taken by the proxy event, in seconds. | |
| Web | http_content_type
|
string | The content-type of the requested HTTP resource. | |
| Web | http_method
|
string | The HTTP method used in the request. | GET, POST, DELETE, and so on.
|
| Web | http_referrer
|
string | The HTTP referrer used in the request. The W3C specification and many implementations misspell this as http_referer. A FIELDALIAS is recommended to handle both key names.
|
|
| Web | http_user_agent
|
string | The user agent used in the request. | |
| Web | http_user_agent_length
|
number | The length of the user agent used in the request. | |
| Web | site
|
string | The virtual site which services the request, if applicable. | |
| Web | src
|
string | The source of the network traffic (the client requesting the connection). | |
| Web | src_bunit
|
string | These are derived fields provided by Asset and Identity correlation features of certain advanced applications like the Splunk App for Enterprise Security. They should be left blank when writing add-ons. | |
| Web | src_category
|
string | ||
| Web | src_priority
|
string | ||
| Web | status
|
string | The HTTP response code indicating the status of the proxy request. | 404, 302, 500, and so on.
|
| Web | tag
|
string | This automatically generated field is used to access tags from within datamodels. Add-on builders do not need to populate it. | |
| Web | uri_path
|
string | The universal resource indicator path of the resource served by the webserver or proxy. | |
| Web | uri_query
|
string | The universal resource indicator path of the resource requested by the client. | |
| Web | url
|
string | The URL of the requested HTTP resource. | |
| Web | url_length
|
number | The length of the URL. | |
| Web | user
|
string | The user that requested the HTTP resource. | |
| Web | user_bunit
|
string | These are derived fields provided by Asset and Identity correlation features of certain advanced applications like the Splunk App for Enterprise Security. They should be left blank when writing add-ons. | |
| Web | user_category
|
string | ||
| Web | user_priority
|
string | ||
| Web | vendor_product
|
string | The vendor of the proxy server, such as Squid Proxy Server.
|
|
Last modified on 18 November, 2014
| Vulnerabilities | Install the add-on |
This documentation applies to the following versions of Splunk® Common Information Model Add-on: 4.0.0
Download manual
Feedback submitted, thanks!