This documentation does not apply to the most recent version of Splunk® Common Information Model Add-on.
For documentation on the most recent version, go to the latest release.
Endpoint
The Endpoint data model replaces the Application State data model, which is deprecated as of software version 4.12.0.
The fields and tags in the Endpoint data model describe service or process inventory and state, such as Unix daemons, Windows services, running processes on any OS, or similar systems.
Note: A dataset is a component of a data model. In versions of the Splunk platform prior to version 6.5.0, these were referred to as data model objects.
| Dataset name | Tag name |
|---|---|
| Endpoint | |
|
listening |
| port | |
|
process |
| report | |
|
service |
| report | |
|
endpoint |
| filesystem | |
|
endpoint |
| registry |
The following table lists the extracted and calculated fields for the event datasets in the model. Note that it does not include any inherited fields. For more information, see How to use these reference tables.
Ports
| Dataset name | Field name | Data type | Description | Expected values |
|---|---|---|---|---|
| Ports | creation_time
|
timestamp | The time at which the network port started listening on the endpoint. | |
| Ports | dest_bunit
|
string | This field is automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for this fields when writing add-ons. | |
| Ports | dest_category
|
string | This field is automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for this fields when writing add-ons. | |
| Ports | dest_port
|
number | Network port listening on the endpoint, such as 53. | |
| Ports | dest_priority
|
string | This field is automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for this fields when writing add-ons. | |
| Ports | dest_requires_av
|
boolean | This field is automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for this fields when writing add-ons. | |
| Ports | dest_should_timesync
|
boolean | This field is automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for this fields when writing add-ons. | |
| Ports | dest_should_update
|
boolean | This field is automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for this fields when writing add-ons. | |
| Ports | src_bunit
|
string | This field is automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for this fields when writing add-ons. | |
| Ports | process_id
|
string | The numeric identifier of the process assigned by the operating system. | |
| Ports | src_category
|
string | This field is automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for this fields when writing add-ons. | |
| Ports | src_priority
|
string | This field is automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for this fields when writing add-ons. | |
| Ports | src_requires_av
|
boolean | This field is automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for this fields when writing add-ons. | |
| Ports | src_should_timesync
|
boolean | This field is automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for this fields when writing add-ons. | |
| Ports | src_should_update
|
boolean | This field is automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for this fields when writing add-ons. | |
| Ports | state
|
string | The status of the listening port, such as established, listening, etc. | |
| Ports | tag
|
string | This automatically generated field is used to access tags from within data models. Add-on builders do not need to populate it. | |
| Ports | transport
|
string | The network transport protocol associated with the listening port, such as tcp, udp, etc." | |
| Ports | transport_dest_port
|
string | Calculated as transport/dest_port, such as tcp/53. | |
| Ports | user_bunit
|
string | This field is automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for this fields when writing add-ons. | |
| Ports | user_category
|
string | This field is automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for this fields when writing add-ons. | |
| Ports | user_priority
|
string | This field is automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for this fields when writing add-ons. |
Processes
| Dataset name | Field name | Data type | Description | Expected values |
|---|---|---|---|---|
| Processes | action
|
string | The action taken by the endpoint, such as allowed, blocked, deferred. | |
| Processes | cpu_load_percent
|
number | CPU load consumed by the process (in percent). | |
| Processes | dest_bunit
|
string | This field is automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for this fields when writing add-ons. | |
| Processes | dest_category
|
string | This field is automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for this fields when writing add-ons. | |
| Processes | dest_is_expected
|
boolean | This field is automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for this field when writing add-ons. | |
| Processes | dest_priority
|
string | This field is automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for this fields when writing add-ons. | |
| Processes | dest_requires_av
|
boolean | This field is automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for this fields when writing add-ons. | |
| Processes | dest_should_timesync
|
boolean | This field is automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for this fields when writing add-ons. | |
| Processes | dest_should_update
|
boolean | This field is automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for this fields when writing add-ons. | |
| Processes | mem_used
|
number | Memory used by the process (in bytes). | |
| Processes | os
|
string | The operating system of the resource, such as Microsoft Windows Server 2008r2. | |
| Processes | parent_process_exec
|
string | The executable name of the parent process. | |
| Processes | parent_process_id
|
number | The numeric identifier of the parent process assigned by the operating system. | |
| Processes | parent_process_guid
|
string | The globally unique identifer of the parent process assigned by the vendor_product. | |
| Processes | parent_process_path
|
string | The file path of the parent process, such as C:\Windows\System32\notepad.exe. | |
| Processes | process_current_directory
|
string | The current working directory used to spawn the process. | |
| Processes | process_exec
|
string | The executable name of the process. | |
| Processes | process_hash
|
string | The digests of the parent process, such as <md5>, <sha1>, etc. | |
| Processes | process_guid
|
string | The globally unique identifer of the process assigned by the vendor_product. | |
| Processes | process_id
|
number | The numeric identifier of the process assigned by the operating system. | |
| Processes | process_integrity_level
|
string | The Windows integrity level of the process. | system, high, medium, low, untrusted
|
| Processes | process_path
|
string | The file path of the process, such as C:\Windows\System32\notepad.exe. | |
| Processes | tag
|
string | This automatically generated field is used to access tags from within data models. Add-on builders do not need to populate it. | |
| Processes | user_id
|
string | The unique identifier of the user account which spawned the process. | |
| Processes | user_bunit
|
string | This field is automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for this fields when writing add-ons. | |
| Processes | user_category
|
string | This field is automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for this fields when writing add-ons. | |
| Processes | user_priority
|
string | This field is automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for this fields when writing add-ons. |
Services
| Dataset name | Field name | Data type | Description | Expected values |
|---|---|---|---|---|
| Services | description
|
string | The description of the service. | |
| Services | dest_bunit
|
string | This field is automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for this fields when writing add-ons. | |
| Services | dest_category
|
string | This field is automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for this fields when writing add-ons. | |
| Services | dest_is_expected
|
boolean | This field is automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for this field when writing add-ons. | |
| Services | dest_priority
|
string | This field is automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for this fields when writing add-ons. | |
| Services | dest_requires_av
|
boolean | This field is automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for this fields when writing add-ons. | |
| Services | dest_should_timesync
|
boolean | This field is automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for this fields when writing add-ons. | |
| Services | dest_should_update
|
boolean | This field is automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for this fields when writing add-ons. | |
| Services | process_id
|
string | The numeric identifier of the process assigned by the operating system. | |
| Services | service_dll
|
string | The dynamic link library associated with the service. | |
| Services | service_dll_path
|
string | The file path to the dynamic link library assocatied with the service, such as C:\Windows\System32\comdlg32.dll. | |
| Services | service_dll_hash
|
string | The digests of the dynamic link library associated with the service, such as <md5>, <sha1>, etc. | |
| Services | service_dll_signature_exists
|
boolean | Whether or not the dynamic link library associated with the service has a digitally signed signature. | |
| Services | service_dll_signature_verified
|
boolean | Whether or not the dynamic link library associated with the service has had its digitally signed signature verified. | |
| Services | service_exec
|
string | The executable name of the service. | |
| Services | service_hash
|
string | The digest(s) of the service, such as <md5>, <sha1>, etc. | |
| Services | service_path
|
string | The file path of the service, such as C:\WINDOWS\system32\svchost.exe. | |
| Services | service_signature_exists
|
boolean | Whether or not the service has a digitally signed signature. | |
| Services | service_signature_verified
|
boolean | Whether or not the service has had its digitally signed signature verified. | |
| Services | tag
|
string | This automatically generated field is used to access tags from within data models. Add-on builders do not need to populate it. | |
| Services | user_bunit
|
string | This field is automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for this fields when writing add-ons. | |
| Services | user_category
|
string | This field is automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for this fields when writing add-ons. | |
| Services | user_priority
|
string | This field is automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for this fields when writing add-ons. |
Filesystem
| Dataset name | Field name | Data type | Description | Expected values |
|---|---|---|---|---|
| Filesystem | dest_bunit
|
string | This field is automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for this fields when writing add-ons. | |
| Filesystem | dest_category
|
string | This field is automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for this fields when writing add-ons. | |
| Filesystem | dest_priority
|
string | This field is automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for this fields when writing add-ons. | |
| Filesystem | dest_requires_av
|
boolean | This field is automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for this fields when writing add-ons. | |
| Filesystem | dest_should_timesync
|
boolean | This field is automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for this fields when writing add-ons. | |
| Filesystem | dest_should_update
|
boolean | This field is automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for this fields when writing add-ons. | |
| Filesystem | file_access_time
|
timestamp | The time that the file (the object of the event) was accessed. | |
| Filesystem | file_create_time
|
timestamp | The time that the file (the object of the event) was created. | |
| Filesystem | file_modify_time
|
timestamp | The time that the file (the object of the event) was altered. | |
| Filesystem | process_id
|
string | The numeric identifier of the process assigned by the operating system. | |
| Filesystem | tag
|
string | This automatically generated field is used to access tags from within data models. Add-on builders do not need to populate it. | |
| Filesystem | user_bunit
|
string | This field is automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for this fields when writing add-ons. | |
| Filesystem | user_category
|
string | This field is automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for this fields when writing add-ons. | |
| Filesystem | user_priority
|
string | This field is automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for this fields when writing add-ons. |
Registry
| Dataset name | Field name | Data type | Description | Expected values |
|---|---|---|---|---|
| Registry | dest_bunit
|
string | This automatically generated field is used to access tags from within data models. Add-on builders do not need to populate it. | |
| Registry | dest_category
|
string | This automatically generated field is used to access tags from within data models. Add-on builders do not need to populate it. | |
| Registry | dest_priority
|
string | This automatically generated field is used to access tags from within data models. Add-on builders do not need to populate it. | |
| Registry | dest_requires_av
|
boolean | This automatically generated field is used to access tags from within data models. Add-on builders do not need to populate it. | |
| Registry | dest_should_timesync
|
boolean | This automatically generated field is used to access tags from within data models. Add-on builders do not need to populate it. | |
| Registry | dest_should_update
|
boolean | This automatically generated field is used to access tags from within data models. Add-on builders do not need to populate it. | |
| Registry | process_id
|
string | The numeric identifier of the process assigned by the operating system. | |
| Registry | registry_hive
|
string | The logical grouping of registry keys, subkeys, and values. | HKEY_CURRENT_CONFIG, HKEY_CURRENT_USER, HKEY_LOCAL_MACHINE\\SAM, HKEY_LOCAL_MACHINE\\Security, HKEY_LOCAL_MACHINE\\Software, HKEY_LOCAL_MACHINE\\System, HKEY_USERS\\.DEFAULT
|
| Registry | registry_value_text
|
string | The textual representation of registry_value_data (if applicable). | |
| Registry | status
|
string | The outcome of the registry action. | failure, success
|
| Registry | tag
|
string | This automatically generated field is used to access tags from within data models. Add-on builders do not need to populate it. | |
| Registry | user_bunit
|
string | This field is automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for this fields when writing add-ons. | |
| Registry | user_category
|
string | This field is automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for this fields when writing add-ons. | |
| Registry | user_priority
|
string | This field is automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for this fields when writing add-ons. |
Calculations
| Calculation ID | Field name | Data type | Description | Expression |
|---|---|---|---|---|
Endpoint_Ports_
|
src
|
string | The "remote" system connected to the listening port (if applicable). | if(isnull(src) OR src=\"\",\"unknown\",src)
|
Endpoint_Ports_
|
src_port
|
number | The "remote" port connected to the listening port (if applicable). | if(isnum(src_port),src_port,0)
|
Endpoint_Ports_
|
dest
|
string | The endpoint on which the port is listening. | if(isnull(dest) OR dest=\"\",\"unknown\",dest)
|
Endpoint_Ports_
|
user
|
string | The user account associated with the listening port. | if(isnull(user) OR user=\"\",\"unknown\",user)
|
Endpoint_Ports_
|
vendor_product
|
string | The vendor and product name of the Endpoint solution that reported the event, such as Carbon Black Cb Response. This field can be automatically populated by vendor and product fields in your data. | case(isnotnull(vendor_product),vendor_product,
|
Endpoint_Processes_
|
dest
|
string | The endpoint for which the process was spawned. | if(isnull(dest) OR dest=\"\",\"unknown\",dest)
|
Endpoint_Processes_
|
parent_process
|
string | The full command string of the parent process. | if(isnull(parent_process) OR parent_process=\"\",\"unknown\",parent_process)
|
Endpoint_Processes_
|
parent_process_name
|
string | The friendly name of the parent process, such as notepad.exe. | case(isnotnull(parent_process_name) AND parent_process_name!=\"\",parent_process_name,
|
Endpoint_Processes_
|
process
|
string | The full command string of the spawned process. Such as C:\\WINDOWS\\system32\\cmd.exe \/c \"\"C:\\Program Files\\SplunkUniversalForwarder\\etc\\system\\bin\\powershell.cmd\" --scheme\"". There is a limit of 2048 characters. | if(isnull(process) OR process=\"\",\"unknown\",process)
|
Endpoint_Processes_
|
process_name
|
string | The friendly name of the process, such as notepad.exe. | case(isnotnull(process_name) AND process_name!=\"\",process_name,isnotnull(process) AND process!=\"\",replace(process,\"^\\s*([^\\s]+).*\",\"\\1\"),1=1,\"unknown\")
|
Endpoint_Processes_
|
user
|
string | The user account that spawned the process. | if(isnull(user) OR user=\"\",\"unknown\",user)
|
Endpoint_Processes_
|
vendor_product
|
string | The vendor and product name of the Endpoint solution that reported the event, such as Carbon Black Cb Response. This field can be automatically populated by vendor and product fields in your data." | case(isnotnull(vendor_product),vendor_product,
|
Endpoint_Services_
|
dest
|
string | The endpoint for which the service is installed." | if(isnull(dest) OR dest=\"\",\"unknown\",dest)
|
Endpoint_Services_
|
service
|
string | The full service name." | if(isnull(service) OR service=\"\",\"unknown\",service)
|
Endpoint_Services_
|
service_name
|
string | The friendly service name." | if(isnull(service_name) OR service_name=\"\",\"unknown\",service_name)
|
Endpoint_Services_
|
service_id
|
string | The unique identifier of the service assigned by the operating system." | if(isnull(service_id) OR service_id=\"\",\"unknown\",service_id)
|
Endpoint_Services_
|
start_mode
|
string | The start mode for the service." | if(isnull(start_mode) OR start_mode=\"\",\"unknown\",start_mode)
|
Endpoint_Services_
|
status
|
string | The status of the service. Expected values: critical, started", stopped, warning
|
if(isnull(status) OR status=\"\",\"unknown\",status)
|
Endpoint_Services_
|
user
|
string | The user account associated with the service. | if(isnull(user) OR user=\"\",\"unknown\",user)
|
Endpoint_Services_
|
vendor_product
|
string | The vendor and product name of the Endpoint solution that reported the event, such as Carbon Black Cb Response. This field can be automatically populated by vendor and product fields in your data. | case(isnotnull(vendor_product),vendor_product,
|
Endpoint_Filesystem_
|
action
|
string | The action performed on the resource. Expected values: acl_modified, created, deleted, modified, read
|
if(isnull(action) OR action=\"\",\"unknown\",action)
|
Endpoint_Filesystem_
|
dest
|
string | The endpoint pertaining to the filesystem activity. | if(isnull(dest) OR dest=\"\",\"unknown\",dest)
|
Endpoint_Filesystem_
|
file_hash
|
string | A cryptographic identifier assigned to the file object affected by the event. | if(isnull(file_hash) OR file_hash=\"\",\"unknown\",file_hash)
|
Endpoint_Filesystem_
|
file_name
|
string | The name of the file, such as notepad.exe. | if(isnull(file_name) OR file_name=\"\",\"unknown\",file_name
|
Endpoint_Filesystem_
|
file_path
|
string | The path of the file, such as C:\Windows\System32\notepad.exe. | if(isnull(file_path) OR file_path=\"\",\"unknown\",file_path)
|
Endpoint_Filesystem_
|
file_acl
|
string | Access controls associated with the file affected by the event. | if(isnull(file_acl) OR file_acl=\"\",\"unknown\",file_acl)
|
Endpoint_Filesystem_
|
file_size
|
number | The size of the file that is the object of the event, in kilobytes. | if(isnum(file_size),file_size,null())
|
Endpoint_Filesystem_
|
user
|
string | The user account associated with the filesystem access. | if(isnull(user) OR user=\"\",\"unknown\",user)
|
Endpoint_Filesystem_
|
vendor_product
|
string | The vendor and product name of the Endpoint solution that reported the event, such as Carbon Black Cb Response. This field can be automatically populated by vendor and product fields in your data. | case(isnotnull(vendor_product),vendor_product,
|
Endpoint_Registry_
|
action
|
string | The action performed on the resource. Expected values: created, deleted, modified, read"
|
if(isnull(action) OR action=\"\",\"unknown\",action)
|
Endpoint_Registry_
|
dest
|
string | The endpoint pertaining to the registry events. | if(isnull(dest) OR dest=\"\",\"unknown\",dest)
|
Endpoint_Registry_
|
registry_path
|
string | The path to the registry value, such as \win\directory\directory2\{676235CD-B656-42D5-B737-49856E97D072}\PrinterDriverData. | if(isnull(registry_path) OR registry_path=\"\",\"unknown\",registry_path)
|
Endpoint_Registry_
|
registry_key_name
|
string | The name of the registry key, such as PrinterDriverData. | if(isnull(registry_key_name) OR registry_key_name=\"\",\"unknown\",
|
Endpoint_Registry_
|
registry_value_data
|
string | The unaltered registry value. | if(isnull(registry_value_data) OR registry_value_data=\"\",\"unknown\",
|
Endpoint_Registry_
|
registry_value_name
|
string | The name of the registry value. | if(isnull(registry_value_name) OR registry_value_name=\"\",\"unknown\",
|
Endpoint_Registry_
|
registry_value_type
|
string | The type of the registry value. Expected values: REG_BINARY, REG_DWORD, REG_DWORD_LITTLE_ENDIAN, REG_DWORD_BIG_ENDIAN, REG_EXPAND_SZ, REG_LINK, REG_MULTI_SZ, REG_NONE, REG_QWORD, REG_QWORD_LITTLE_ENDIAN, REG_SZ"
|
if(isnull(registry_value_type) OR registry_value_type=\"\",\"unknown\",
|
Endpoint_Registry_
|
user
|
string | The user account associated with the registry access. | if(isnull(user) OR user=\"\",\"unknown\",user)
|
Endpoint_Registry_
|
vendor_product
|
string | The vendor and product name of the Endpoint solution that reported the event, such as Carbon Black Cb Response. This field can be automatically populated by vendor and product fields in your data. | case(isnotnull(vendor_product),vendor_product,
|
Search Example
The architecture of this data model is different than those it replaces. Each data set is directly searchable as DataModel.DataSet rather than by node name. An example follows for the new versus old search for summary count of ports by destination port:
- Endpoint
| tstats `summariesonly` count from datamodel=Endpoint.Ports by Ports.dest- Application State
| tstats count from datamodel=Application_State.All_Application_State where nodename="All_Application_State.Ports" by All_Application_State.dest
Last modified on 28 July, 2021
| Interprocess Messaging |
This documentation applies to the following versions of Splunk® Common Information Model Add-on: 4.12.0
Download manual
Feedback submitted, thanks!