Splunk® Common Information Model Add-on

Common Information Model Add-on Manual

This documentation does not apply to the most recent version of Splunk® Common Information Model Add-on. For documentation on the most recent version, go to the latest release.

Event Signatures

Event Signatures is a standard location to store Windows EventID. This data model is searchable as DataModel.DataSet. It is not accelerated by default, but the appropriate acceleration settings have been defined.

Note: A dataset is a component of a data model. In versions of the Splunk platform prior to version 6.5.0, these were referred to as data model objects.


Dataset name Tag name
Event_Signatures
|____ Signatures
track_event_signatures

The following table lists the extracted and calculated fields for the event datasets in the model. Note that it does not include any inherited fields. For more information, see How to use these reference tables.

Event Signatures

Dataset name Field name Data type Description Abbreviated list of example values
Signatures dest string System affected by the signature.
Signatures dest_bunit string This field is automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for this fields when writing add-ons.
Signatures dest_category string This field is automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for this fields when writing add-ons.
Signatures dest_priority string This field is automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for this fields when writing add-ons.
Signatures signature string The human readable event name.
Signatures signature_id string The event name identifier (as supplied by the vendor).
Signatures tag string This automatically generated field is used to access tags from within data models. Add-on builders do not need to populate it.

Calculations

Calculation ID Field name Data type Description Expression
Signatures_vendor_product vendor_product string The vendor and product name of the technology that reported the event, such as Carbon Black Cb Response. This field can be automatically populated by vendor and product fields in your data. case(isnotnull(vendor_product),vendor_product,

isnotnull(vendor) AND vendor!=\"unknown\" AND isnotnull(product) AND product!=\"unknown\",vendor.\" \".product,isnotnull(vendor) AND vendor!=\"unknown\" AND (isnull(product) OR product=\"unknown\"),vendor.\" unknown\",(isnull(vendor) OR vendor=\"unknown\") AND isnotnull(product) AND product!=\"unknown\",\"unknown \".product,isnotnull(sourcetype),sourcetype, 1=1,\"unknown\")"

Search Example

An example follows for the summary count of signatures by destination ID:

| tstats count from datamodel=Event_Signatures.Signatures by Signatures.signature_id,Signatures.dest

Last modified on 08 May, 2020
Endpoint   Interprocess Messaging

This documentation applies to the following versions of Splunk® Common Information Model Add-on: 4.14.0, 4.15.0


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters