Data models, objects, and constraints
This table shows the objects, inheritance, tags, and constraints for the data models included in the Splunk Common Information Model Add-on. It also indicates whether the data model can be accelerated.
Data model | Objects | Child Objects | Tags/Constraints | Notes |
---|---|---|---|---|
Alerts | tag=alert_messages | N/A | ||
Application State | (tag=listening tag=port) OR (tag=process tag=report) OR (tag=service tag=report) | Can be accelerated | ||
Ports | inherited tags and tag=listening tag=port | |||
Missing Extractions (S.o.S) | inherited tags and (dest="unknown" OR dest_port=0 OR transport="unknown") | |||
Processes | inherited tags and tag=process tag=report | |||
Missing Extractions (S.o.S) | inherited tags and (dest="unknown" OR process="unknown") | |||
Services | inherited tags and tag=service tag=report | |||
Missing Extractions (S.o.S) | inherited tags and (dest="unknown" OR service="unknown" OR start_mode="unknown") | |||
Authentication | tag=authentication NOT (action=success user=*$) | Can be accelerated | ||
Failed Authentication | inherited tags and action="failure" | |||
Successful Authentication | inherited tags and action="success" | |||
Default Authentication | inherited tags and tag="default" | |||
Failed Default Authentication | inherited tags and action="failure" | |||
Successful Default Authentication | inherited tags and action="success" | |||
Privileged Authentication | inherited tags and tag="privileged" | |||
Failed Privileged Authentication | inherited tags and action="failure" | |||
Successful Privileged Authentication | inherited tags and action="success" | |||
Missing Extractions (S.o.S) | (action="unknown" OR app="unknown" OR src="unknown" OR dest="unknown" OR user="unknown") | |||
Change Analysis | tag=change | Can be accelerated | ||
Account_Management | inherited tags and tag=accounts | |||
Endpoint_Changes | inherited tags and tag=endpoint | |||
Network | inherited tags and tag=network | |||
Missing_Extractions - Account_Management | inherited tags and tag=account (action="unknown" OR command="unknown" OR dest="unknown" OR object_category="unknown" OR src="unknown" OR user="unknown") | |||
Missing_Extractions - Endpoint_Changes | inherited tags and tag=endpoint (action="unknown" OR dest="unknown" OR object="unknown" OR object_category="unknown" OR object_path="unknown" OR status="unknown" OR user="unknown") | |||
Missing_Extractions - Network | inherited tags and tag=network | |||
Missing_Extractions - Filesystem_Changes | inherited tags and tag=endpoint (object_category=file OR object_category=directory) (action="unknown" OR dest="unknown" OR object="unknown" OR object_category="unknown" OR object_path="unknown" OR status="unknown" OR user="unknown" OR file_access_time="unknown" OR file_create_time="unknown" OR file_hash="unknown" OR file_modify_time="unknown" OR file_name="unknown" OR file_path="unknown" OR file_acl="unknown" OR file_size="unknown") | |||
Missing_Extractions - Restarts | inherited tags and (action="unknown" OR change_type="unknown") (reboot* OR restart*) sourcetype!=stash | |||
Compute Inventory | tag=inventory | N/A | ||
CPU | inherited tags and tag=cpu | |||
Missing Extractions (S.o.S) | inherited tags and dest="unknown" OR NOT (cpu_cores=* OR cpu_count=* OR cpu_mhz=*) | |||
Memory | inherited tags and tag=memory | |||
Missing Extractions (S.o.S) | inherited tags and dest="unknown" OR NOT (mem=*) | |||
Network | inherited tags and tag=network | |||
Missing Extractions (S.o.S) | inherited tags and dest="unknown" OR NOT (interface=* OR ip=* OR mac=* OR name=* OR dns=*) | |||
Storage | inherited tags and tag=storage | |||
Missing Extractions (S.o.S) | inherited tags and dest="unknown" OR NOT (mount=* OR storage=*) | |||
OS | inherited tags and tag=os | |||
Missing Extractions (S.o.S) | inherited tags and dest="unknown" OR NOT (os=* OR version=*) | |||
User | inherited tags and tag=user | |||
Virtual_OS | inherited tags and tag=virtual | |||
Snapshot | inherited tags and tag=snapshot | |||
Tools | inherited tags and tag=Tools | |||
IDS_Attacks | tag=ids tag=attack | Can be accelerated | ||
Application_Intrusion_Detections | inherited tags and ids_type="application" | |||
Host_Intrusion_Detections | inherited tags and ids_type="host" | |||
Network_Intrusion_Detections | inherited tags and ids_type="network" | |||
Missing Extractions (S.o.S) | inherited tags and (dvc="unknown" OR ids_type="unknown" OR category="unknown" OR signature="unknown" OR severity="unknown" OR src="unknown" OR dest="unknown" OR user="unknown" OR vendor_product="unknown") | |||
Java Virtual Machines (JVM) | tag=jvm | Can be accelerated | ||
Threading | inherited tags and tag=threading | |||
Runtime | inherited tags and tag=runtime | |||
OS | inherited tags and tag=os | |||
Compilation | inherited tags and tag=compilation | |||
Classloading | inherited tags and tag=classloading | |||
Memory | inherited tags and tag=memory | |||
Malware | tag=malware tag=attack | Can be accelerated | ||
Allowed_Malware | inherited tags and action="allowed" | |||
Blocked_Malware | inherited tags and action="blocked" | |||
Quarantined_Malware | inherited tags and action="deferred" | |||
Missing Extractions (S.o.S) | inherited tags and (action="unknown" OR category="unknown" OR signature="unknown" OR dest="unknown" OR dest_nt_domain="unknown" OR user="unknown" OR vendor_product="unknown") | |||
Network Sessions All_Sessions |
tag=network tag=session | Can be accelerated | ||
Session_Start | inherited tags and tag=start | |||
Session_End | inherited tags and tag=end | |||
DHCP | inherited tags and tag=dhcp | |||
VPN | inherited tags and tag=vpn | |||
Missing Extractions (S.o.S) | inherited tags and (ip="unknown") | |||
Network Traffic All_Traffic |
tag=network tag=communicate | Can be accelerated | ||
Traffic_By_Actions | inherited tags and action=* | |||
Allowed_Traffic | inherited tags and action=allowed | |||
Blocked_Traffic | inherited tags and action=blocked | |||
Traffic_By_Application_Protocol | inherited tags and dest_port=* | |||
Database_Traffic | inherited tags and (dest_port=1433 OR dest_port=1521) | |||
DNS_Traffic | inherited tags and dest_port=53 | |||
FTP_Traffic | inherited tags and (dest_port=20 OR dest_port=21) | |||
Shell/RDP_Traffic | inherited tags and (dest_port=22 OR dest_port=23 OR dest_port=3389 OR dest_port=5900) | |||
Web_Traffic | inherited tags and (dest_port=80 OR dest_port=443 OR dest_port=1080 OR dest_port=8080) | |||
Traffic_By_Direction | inherited tags and direction=* | |||
Traffic_By_Transport_Protocol | inherited tags and transport=* | |||
Missing Extractions (S.o.S) | inherited tags and (action="unknown" OR dvc="unknown" OR rule="unknown" OR transport="unknown" OR src="unknown" OR src_port=0 OR dest="unknown" OR dest_port=0 OR vendor_product="unknown") | |||
Performance All_Performance |
N/A | |||
CPU | inherited tags and tag=cpu | |||
Memory | inherited tags and tag=memory | |||
Network | inherited tags and tag=network | |||
OS | inherited tags and tag=os | |||
Storage | inherited tags and tag=storage | |||
Splunk Audit Logs | index=_internal sourcetype=splunk_web_access method=GET status=200 | Can be accelerated | ||
Updates | tag=update tag=status | Can be accelerated | ||
Available_Updates | inherited tags and status="available" | |||
Installed_Updates | inherited tags and status="installed" | |||
Updates_Requiring_Restart | inherited tags and status="restart_required" | |||
Missing_Extractions | inherited tags and (dest="unknown" OR signature="unknown" OR signature_id="unknown" OR status="unknown" OR vendor_product="unknown") | |||
Vulnerabilities | tag=vulnerability tag=report | Can be accelerated | ||
High_Or_Critical_Vulnerabilities | inherited tags and (severity="high" OR severity="critical") | |||
Medium_Vulnerabilities | inherited tags and severity="medium" | |||
Low_Or_Informational_Vulnerabilities | inherited tags and (severity="low" OR severity="informational") | |||
Missing_Extractions | inherited tags only | |||
Web and Proxy | tag=web | Can be accelerated | ||
Proxy | inherited tags and tag=proxy | |||
Web_Data_By_Content_Type | inherited tags and http_content_type=* | |||
Web_Data_By_Method | inherited tags and http_method=* | |||
Web_Data_By_Status | inherited tags and status=* | |||
Missing_Extractions | inherited tags and (action="unknown" OR dest="unknown" OR http_content_type="unknown" OR http_method="unknown" OR http_referrer="unknown" OR http_user_agent="unknown" OR src="unknown" OR status="unknown" OR url="unknown" OR user="unknown" OR vendor_product="unknown") |
This documentation applies to the following versions of Splunk® Common Information Model Add-on: 4.1.0
Feedback submitted, thanks!