Splunk® Common Information Model Add-on

Common Information Model Add-on Manual

This documentation does not apply to the most recent version of Splunk® Common Information Model Add-on. For documentation on the most recent version, go to the latest release.

Network Resolution (DNS)

The fields and tags in the Network Resolution (DNS) data model describe DNS traffic, both server:server and client:server.

Tags used with the DNS event object

The following tags act as constraints to identify your events as being relevant to this data model. For more information, see "How to use these reference tables".

Object name Tag name
DNS network
resolution
dns

Fields for the Network Resolution event object

The following table lists the extracted and calculated fields for the event object in the model. Note that it does not include any inherited fields. For more information, see "How to use these reference tables".

Object name Field name Data type Description Expected values
DNS additional_answer_count number Number of entries in the "additional" section of the DNS message.
DNS answer string Resolved address for the query.
DNS answer_count number Number of entries in the answer section of the DNS message.
DNS authority_answer_count number Number of entries in the "authority" section of the DNS message.
DNS dest string The destination of the network resolution event. May be aliased from more specific fields, such as dest_host, dest_ip, or dest_name.
DNS dest_category string The category of the network resolution target, such as email_server or SOX-compliant.

This field is automatically provided by Asset and Identity correlation features of applications like the Splunk App for Enterprise Security.
DNS dest_port number The destination port number.
DNS dest_priority string The priority of the destination, if applicable.
DNS duration number The time taken by the network resolution event, in seconds.
DNS entry string A container for the DNS message.
DNS message_type string Type of DNS message. Query, Response, unknown
DNS query string The domain which needs to be resolved. Applies to messages of type "Query".
DNS query_count number Number of entries that appear in the "Questions" section of the DNS query.
DNS query_type string The DNS OpCode name as defined in https://tools.ietf.org/html/rfc2929#section-2.2. Query, IQuery, Status, Notify, Update, unknown
DNS reply_code string Return code for the response as defined in https://tools.ietf.org/html/rfc2929#section-2.3. NoError, FormErr, ServFail, NXDomain, NotImp, Refused, YXDomain, YXRRSet, NotAuth, NotZone, BADVERS, BADSIG, BADKEY, BADTIME, BADMODE, BADNAME, BADALG, unknown
DNS reply_code_id number Numerical id of the return code as defined in https://tools.ietf.org/html/rfc2929#section-2.3. 0-10, 16-21
DNS response_time number The amount of time it took to receive a response in the network resolution event, if applicable.
DNS src string The source of the network resolution event. May be aliased from more specific fields, such as src_host, src_ip, or src_name.
DNS src_bunit string The business unit of the source.

This field is automatically provided by Asset and Identity correlation features of applications like the Splunk App for Enterprise Security.
DNS src_category string The category of the source, such as email_server or SOX-compliant.

This field is automatically provided by Asset and Identity correlation features of applications like the Splunk App for Enterprise Security.
DNS src_port number The port number of the source.
DNS src_priority string The priority of the source.
DNS tag string This automatically generated field is used to access tags from within datamodels. Add-on builders do not need to populate it.
DNS transaction_id number The unique numerical transaction id of the network resolution event.
DNS transport string The transport protocol used by the network resolution event.
DNS ttl number The time-to-live of the network resolution event.
DNS vendor_product string The vendor and product name of the DNS server. The Splunk platform can derive this field from the fields vendor and product in the raw data, if they exist.
Last modified on 11 February, 2016
Malware   Network Sessions

This documentation applies to the following versions of Splunk® Common Information Model Add-on: 4.1.0, 4.1.1


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters