Splunk® Common Information Model Add-on

Common Information Model Add-on Manual

This documentation does not apply to the most recent version of Splunk® Common Information Model Add-on. For documentation on the most recent version, go to the latest release.

Email

The fields and tags in the Email data model describe email traffic, whether server:server or client:server.

Note: A dataset is a component of a data model. In versions of the Splunk platform prior to version 6.5.0, these were referred to as data model objects.

Tags used with Email event datasets

The following tags act as constraints to identify your events as being relevant to this data model. For more information, see How to use these reference tables.

Dataset name Tag name
All_Email email
|____ Delivery
delivery
|____ Content
content
|____ Filtering
filter

Fields for the Email event datasets

The following table lists the extracted and calculated fields for the event datasets in the model. The table does not include any inherited fields. For more information, see How to use these reference tables.

The key for using the column titled "Abbreviated list of example values" follows:

  • Recommended are fields derived from the "recommended=true" JSON parameter that the TA developers need to make best efforts to map
  • Prescribed fields are the permitted values that can populate the fields, which are derived from the "expected_values" JSON parameter
  • Other values are other example values that you might see
Dataset name Field name Data type Description Abbreviated list of example values
Email action string Action taken by the reporting device.
  • recommended
  • prescribed fields:
    delivered, blocked, quarantined, deleted
Email delay number Total sending delay in milliseconds.
Email dest string The endpoint system to which the message was delivered. You can alias this from more specific fields, such as dest_host, dest_ip, or dest_name. recommended
Email dest_bunit string The business unit of the endpoint system to which the message was delivered.

This field is automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for this field when writing add-ons.
Email dest_category string The category of the endpoint system to which the message was delivered.

This field is automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for this field when writing add-ons.
Email dest_priority string The priority of the endpoint system to which the message was delivered.

This field is automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for this field when writing add-ons.
Email duration number The amount of time for the completion of the messaging event, in seconds.
Email file_hash string The hashes for the files attached to the message, if any exist.
Email file_name string The names of the files attached to the message, if any exist.
Email file_size number The size of the files attached the message, in bytes.
Email internal_message_id string Host-specific unique message identifier. other:
Such as aid in sendmail, IMI in Domino, Internal-Message-ID in Exchange, and MID in Ironport).
Email message_id string The globally-unique message identifier.
Email message_info string Additional information about the message.
Email orig_dest string The original destination host of the message. The message destination host can change when a message is relayed or bounced.
Email orig_recipient string The original recipient of the message. The message recipient can change when the original email address is an alias and has to be resolved to the actual recipient.
Email orig_src string The original source of the message.
Email process string The name of the email executable that carries out the message transaction. other:
sendmail, postfix, or the name of an email client
Email process_id number The numeric identifier of the process invoked to send the message.
Email protocol string The email protocol involved, such as SMTP or RPC. prescribed fields:
smtp, imap, pop3, mapi
Email recipient string A field listing individual recipient email addresses.
  • recommended
  • other:
    recipient="foo@splunk.com", recipient="bar@splunk.com"
Email recipient_count number The total number of intended message recipients.
Email recipient_status string The recipient delivery status, if available.
Email response_time number The amount of time it took to receive a response in the messaging event, in seconds.
Email retries number The number of times that the message was automatically resent because it was bounced back, or a similar transmission error condition.
Email return_addr string The return address for the message.
Email size number The size of the message, in bytes.
Email src string The system that sent the message. You can alias this from more specific fields, such as src_host, src_ip, or src_name. recommended
Email src_bunit string The business unit of the system that sent the message.

This field is automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for this field when writing add-ons.
Email src_category string The category of the system that sent the message.

This field is automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for this field when writing add-ons.
Email src_priority string The priority of the system that sent the message.

This field is automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for this field when writing add-ons.
Email src_user string The email address of the message sender. recommended
Email src_user_bunit string The business unit of the message sender.

This field is automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for this field when writing add-ons.
Email src_user_category string The category of the message sender.

This field is automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for this field when writing add-ons.
Email src_user_priority string The priority of the message sender.

This field is automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for this field when writing add-ons.
Email status_code string The status code associated with the message.
Email subject string The subject of the message.
Email tag string This automatically generated field is used to access tags from within data models. Do not define extractions for this field when writing add-ons.
Email url string The URL associated with the message, if any.
Email user string The user context for the process. This is not the email address for the sender. For that, look at the src_user field.
Email user_bunit string The business unit of the user context for the process.

This field is automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for this field when writing add-ons.
Email user_category string The category of the user context for the process.

This field is automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for this field when writing add-ons.
Email user_priority string The priority of the user context for the process.

This field is automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for this field when writing add-ons.
Email vendor_product string The vendor and product of the email server used for the email transaction. This field can be automatically populated by vendor and product fields in your data. recommended
Email xdelay string Extended delay information for the message transaction. May contain details of all the delays from all the servers in the message transmission chain.
Email xref string An external reference. Can contain message IDs or recipient addresses from related messages.
Filtering filter_action string The status produced by the filter. other:
accepted, rejected, dropped
Filtering filter_score number Numeric indicator assigned to specific emails by an email filter.
Filtering signature string The name of the filter applied. recommended
Filtering signature_extra string Any additional information about the filter.
Filtering signature_id string The id associated with the filter name.

Search Example

An example follows for the root dataset of All_Email and datamodel of Email:

| tstats summariesonly=t count from datamodel="Email" by All_Email.file_name

Last modified on 31 August, 2020
Data Loss Prevention   Endpoint

This documentation applies to the following versions of Splunk® Common Information Model Add-on: 4.16.0, 4.17.0


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters