The fields and tags in the Email data model describe email traffic, whether server:server or client:server.
Note: A dataset is a component of a data model. In versions of the Splunk platform prior to version 6.5.0, these were referred to as data model objects.
Tags used with Email event datasets
The following tags act as constraints to identify your events as being relevant to this data model. For more information, see How to use these reference tables.
Dataset name | Tag name |
---|---|
All_Email | |
|
delivery |
|
content |
|
filter |
Fields for the Email event datasets
The following table lists the extracted and calculated fields for the event datasets in the model. The table does not include any inherited fields. For more information, see How to use these reference tables.
The key for using the column titled "Abbreviated list of example values" follows:
- Recommended are fields derived from the "recommended=true" JSON parameter that the TA developers need to make best efforts to map
- Prescribed fields are the permitted values that can populate the fields, which are derived from the "expected_values" JSON parameter
- Other values are other example values that you might see
Dataset name | Field name | Data type | Description | Abbreviated list of example values |
---|---|---|---|---|
action
|
string | Action taken by the reporting device. |
| |
delay
|
number | Total sending delay in milliseconds. | ||
dest
|
string | The endpoint system to which the message was delivered. You can alias this from more specific fields, such as dest_host , dest_ip , or dest_name .
|
recommended | |
dest_bunit
|
string | The business unit of the endpoint system to which the message was delivered. This field is automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for this field when writing add-ons. |
||
dest_category
|
string | The category of the endpoint system to which the message was delivered. This field is automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for this field when writing add-ons. |
||
dest_priority
|
string | The priority of the endpoint system to which the message was delivered. This field is automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for this field when writing add-ons. |
||
duration
|
number | The amount of time for the completion of the messaging event, in seconds. | ||
file_hash
|
string | The hashes for the files attached to the message, if any exist. | ||
file_name
|
string | The names of the files attached to the message, if any exist. | ||
file_size
|
number | The size of the files attached the message, in bytes. | ||
internal_message_id
|
string | Host-specific unique message identifier. | other: Such as aid in sendmail, IMI in Domino, Internal-Message-ID in Exchange, and MID in Ironport).
| |
message_id
|
string | The globally-unique message identifier. | ||
message_info
|
string | Additional information about the message. | ||
orig_dest
|
string | The original destination host of the message. The message destination host can change when a message is relayed or bounced. | ||
orig_recipient
|
string | The original recipient of the message. The message recipient can change when the original email address is an alias and has to be resolved to the actual recipient. | ||
orig_src
|
string | The original source of the message. | ||
process
|
string | The name of the email executable that carries out the message transaction. | other:sendmail , postfix , or the name of an email client
| |
process_id
|
number | The numeric identifier of the process invoked to send the message. | ||
protocol
|
string | The email protocol involved, such as SMTP or RPC .
|
prescribed fields:smtp , imap , pop3 , mapi
| |
recipient
|
string | A field listing individual recipient email addresses. |
| |
recipient_count
|
number | The total number of intended message recipients. | ||
recipient_status
|
string | The recipient delivery status, if available. | ||
response_time
|
number | The amount of time it took to receive a response in the messaging event, in seconds. | ||
retries
|
number | The number of times that the message was automatically resent because it was bounced back, or a similar transmission error condition. | ||
return_addr
|
string | The return address for the message. | ||
size
|
number | The size of the message, in bytes. | ||
src
|
string | The system that sent the message. You can alias this from more specific fields, such as src_host , src_ip , or src_name .
|
recommended | |
src_bunit
|
string | The business unit of the system that sent the message. This field is automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for this field when writing add-ons. |
||
src_category
|
string | The category of the system that sent the message. This field is automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for this field when writing add-ons. |
||
src_priority
|
string | The priority of the system that sent the message. This field is automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for this field when writing add-ons. |
||
src_user
|
string | The email address of the message sender. | recommended | |
src_user_bunit
|
string | The business unit of the message sender. This field is automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for this field when writing add-ons. |
||
src_user_category
|
string | The category of the message sender. This field is automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for this field when writing add-ons. |
||
src_user_priority
|
string | The priority of the message sender. This field is automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for this field when writing add-ons. |
||
status_code
|
string | The status code associated with the message. | ||
subject
|
string | The subject of the message. | ||
tag
|
string | This automatically generated field is used to access tags from within data models. Do not define extractions for this field when writing add-ons. | ||
url
|
string | The URL associated with the message, if any. | ||
user
|
string | The user context for the process . This is not the email address for the sender. For that, look at the src_user field.
|
||
user_bunit
|
string | The business unit of the user context for the process . This field is automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for this field when writing add-ons. |
||
user_category
|
string | The category of the user context for the process . This field is automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for this field when writing add-ons. |
||
user_priority
|
string | The priority of the user context for the process . This field is automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for this field when writing add-ons. |
||
vendor_product
|
string | The vendor and product of the email server used for the email transaction. This field can be automatically populated by vendor and product fields in your data.
|
recommended | |
xdelay
|
string | Extended delay information for the message transaction. May contain details of all the delays from all the servers in the message transmission chain. | ||
xref
|
string | An external reference. Can contain message IDs or recipient addresses from related messages. | ||
Filtering | filter_action
|
string | The status produced by the filter. | other:accepted , rejected , dropped
|
Filtering | filter_score
|
number | Numeric indicator assigned to specific emails by an email filter. | |
Filtering | signature
|
string | The name of the filter applied. | recommended |
Filtering | signature_extra
|
string | Any additional information about the filter. | |
Filtering | signature_id
|
string | The id associated with the filter name. |
Search Example
An example follows for the root dataset of All_Email and datamodel of Email:
| tstats summariesonly=t count from datamodel="Email" by All_Email.file_name
Data Loss Prevention | Endpoint |
This documentation applies to the following versions of Splunk® Common Information Model Add-on: 4.16.0, 4.17.0
Feedback submitted, thanks!