Splunk® Common Information Model Add-on

Common Information Model Add-on Manual

This documentation does not apply to the most recent version of Splunk® Common Information Model Add-on. For documentation on the most recent version, go to the latest release.

Data models, objects, and constraints

This table shows the objects, inheritance, tags, and constraints for the data models included in the Splunk Common Information Model Add-on. It also indicates whether the data model can be accelerated.

Data model Objects Child Objects Tags/Constraints Notes
Alerts tag=alert_messages N/A
Application State (tag=listening tag=port) OR (tag=process tag=report) OR (tag=service tag=report) Can be accelerated
Ports inherited tags and tag=listening tag=port
Missing Extractions (S.o.S) inherited tags and (dest="unknown" OR dest_port=0 OR transport="unknown")
Processes inherited tags and tag=process tag=report
Missing Extractions (S.o.S) inherited tags and (dest="unknown" OR process="unknown")
Services inherited tags and tag=service tag=report
Missing Extractions (S.o.S) inherited tags and (dest="unknown" OR service="unknown" OR start_mode="unknown")
Authentication tag=authentication NOT (action=success user=*$) Can be accelerated
Failed Authentication inherited tags and action="failure"
Successful Authentication inherited tags and action="success"
Default Authentication inherited tags and tag="default"
Failed Default Authentication inherited tags and action="failure"
Successful Default Authentication inherited tags and action="success"
Privileged Authentication inherited tags and tag="privileged"
Failed Privileged Authentication inherited tags and action="failure"
Successful Privileged Authentication inherited tags and action="success"
Missing Extractions (S.o.S) (action="unknown" OR app="unknown" OR src="unknown" OR dest="unknown" OR user="unknown")
Change Analysis tag=change Can be accelerated
Account_Management inherited tags and tag=accounts
Endpoint_Changes inherited tags and tag=endpoint
Network inherited tags and tag=network
Missing_Extractions - Account_Management inherited tags and tag=account (action="unknown" OR command="unknown" OR dest="unknown" OR object_category="unknown" OR src="unknown" OR user="unknown")
Missing_Extractions - Endpoint_Changes inherited tags and tag=endpoint (action="unknown" OR dest="unknown" OR object="unknown" OR object_category="unknown" OR object_path="unknown" OR status="unknown" OR user="unknown")
Missing_Extractions - Network inherited tags and tag=network
Missing_Extractions - Filesystem_Changes inherited tags and tag=endpoint (object_category=file OR object_category=directory) (action="unknown" OR dest="unknown" OR object="unknown" OR object_category="unknown" OR object_path="unknown" OR status="unknown" OR user="unknown" OR file_access_time="unknown" OR file_create_time="unknown" OR file_hash="unknown" OR file_modify_time="unknown" OR file_name="unknown" OR file_path="unknown" OR file_acl="unknown" OR file_size="unknown")
Missing_Extractions - Restarts inherited tags and (action="unknown" OR change_type="unknown") (reboot* OR restart*) sourcetype!=stash
Compute Inventory tag=inventory N/A
CPU inherited tags and tag=cpu
Missing Extractions (S.o.S) inherited tags and dest="unknown" OR NOT (cpu_cores=* OR cpu_count=* OR cpu_mhz=*)
Memory inherited tags and tag=memory
Missing Extractions (S.o.S) inherited tags and dest="unknown" OR NOT (mem=*)
Network inherited tags and tag=network
Missing Extractions (S.o.S) inherited tags and dest="unknown" OR NOT (interface=* OR ip=* OR mac=* OR name=* OR dns=*)
Storage inherited tags and tag=storage
Missing Extractions (S.o.S) inherited tags and dest="unknown" OR NOT (mount=* OR storage=*)
OS inherited tags and tag=os
Missing Extractions (S.o.S) inherited tags and dest="unknown" OR NOT (os=* OR version=*)
User inherited tags and tag=user
Virtual_OS inherited tags and tag=virtual
Snapshot inherited tags and tag=snapshot
Tools inherited tags and tag=Tools
IDS_Attacks tag=ids tag=attack Can be accelerated
Application_Intrusion_Detections inherited tags and ids_type="application"
Host_Intrusion_Detections inherited tags and ids_type="host"
Network_Intrusion_Detections inherited tags and ids_type="network"
Missing Extractions (S.o.S) inherited tags and (dvc="unknown" OR ids_type="unknown" OR category="unknown" OR signature="unknown" OR severity="unknown" OR src="unknown" OR dest="unknown" OR user="unknown" OR vendor_product="unknown")
Java Virtual Machines (JVM) tag=jvm Can be accelerated
Threading inherited tags and tag=threading
Runtime inherited tags and tag=runtime
OS inherited tags and tag=os
Compilation inherited tags and tag=compilation
Classloading inherited tags and tag=classloading
Memory inherited tags and tag=memory
Malware tag=malware tag=attack Can be accelerated
Allowed_Malware inherited tags and action="allowed"
Blocked_Malware inherited tags and action="blocked"
Quarantined_Malware inherited tags and action="deferred"
Missing Extractions (S.o.S) inherited tags and (action="unknown" OR category="unknown" OR signature="unknown" OR dest="unknown" OR dest_nt_domain="unknown" OR user="unknown" OR vendor_product="unknown")
Network Sessions
All_Sessions
tag=network tag=session Can be accelerated
Session_Start inherited tags and tag=start
Session_End inherited tags and tag=end
DHCP inherited tags and tag=dhcp
VPN inherited tags and tag=vpn
Missing Extractions (S.o.S) inherited tags and (ip="unknown")
Network Traffic
All_Traffic
tag=network tag=communicate Can be accelerated
Traffic_By_Actions inherited tags and action=*
Allowed_Traffic inherited tags and action=allowed
Blocked_Traffic inherited tags and action=blocked
Traffic_By_Application_Protocol inherited tags and dest_port=*
Database_Traffic inherited tags and (dest_port=1433 OR dest_port=1521)
DNS_Traffic inherited tags and dest_port=53
FTP_Traffic inherited tags and (dest_port=20 OR dest_port=21)
Shell/RDP_Traffic inherited tags and (dest_port=22 OR dest_port=23 OR dest_port=3389 OR dest_port=5900)
Web_Traffic inherited tags and (dest_port=80 OR dest_port=443 OR dest_port=1080 OR dest_port=8080)
Traffic_By_Direction inherited tags and direction=*
Traffic_By_Transport_Protocol inherited tags and transport=*
Missing Extractions (S.o.S) inherited tags and (action="unknown" OR dvc="unknown" OR rule="unknown" OR transport="unknown" OR src="unknown" OR src_port=0 OR dest="unknown" OR dest_port=0 OR vendor_product="unknown")
Performance
All_Performance
N/A
CPU inherited tags and tag=cpu
Memory inherited tags and tag=memory
Network inherited tags and tag=network
OS inherited tags and tag=os
Storage inherited tags and tag=storage
Splunk Audit Logs index=_internal sourcetype=splunk_web_access method=GET status=200 Can be accelerated
Updates tag=update tag=status Can be accelerated
Available_Updates inherited tags and status="available"
Installed_Updates inherited tags and status="installed"
Updates_Requiring_Restart inherited tags and status="restart_required"
Missing_Extractions inherited tags and (dest="unknown" OR signature="unknown" OR signature_id="unknown" OR status="unknown" OR vendor_product="unknown")
Vulnerabilities tag=vulnerability tag=report Can be accelerated
High_Or_Critical_Vulnerabilities inherited tags and (severity="high" OR severity="critical")
Medium_Vulnerabilities inherited tags and severity="medium"
Low_Or_Informational_Vulnerabilities inherited tags and (severity="low" OR severity="informational")
Missing_Extractions inherited tags only
Web and Proxy tag=web Can be accelerated
Proxy inherited tags and tag=proxy
Web_Data_By_Content_Type inherited tags and http_content_type=*
Web_Data_By_Method inherited tags and http_method=*
Web_Data_By_Status inherited tags and status=*
Missing_Extractions inherited tags and (action="unknown" OR dest="unknown" OR http_content_type="unknown" OR http_method="unknown" OR http_referrer="unknown" OR http_user_agent="unknown" OR src="unknown" OR status="unknown" OR url="unknown" OR user="unknown" OR vendor_product="unknown")
Last modified on 24 October, 2014
 

This documentation applies to the following versions of Splunk® Common Information Model Add-on: 4.1.0


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters