Splunk® Common Information Model Add-on

Common Information Model Add-on Manual

This documentation does not apply to the most recent version of Splunk® Common Information Model Add-on. For documentation on the most recent version, go to the latest release.

Performance

The fields in the Performance data model describe performance tracking data.

Note: A dataset is a component of a data model. In versions of the Splunk platform prior to version 6.5.0, these were referred to as data model objects.

Tags used with Performance event datasets

The following tags act as constraints to identify your events as being relevant to this data model. For more information, see How to use these reference tables.

Dataset name Tag name
All_Performance performance
cpu OR facilities OR memory OR storage OR network OR (os, (uptime OR (time, synchronize)))
|____CPU
cpu
|____Facilities
facilities
|____Memory
memory
|____Storage
storage
|____Network
network
|____OS
os
|____Uptime
uptime
|____Timesync
time
synchronize

Fields for Performance event datasets

The following table lists the extracted and calculated fields for the event datasets in the model. The table does not include any inherited fields. For more information, see How to use these reference tables.

The key for using the column titled "Abbreviated list of example values" follows:

  • Recommended are fields derived from the "recommended=true" JSON parameter that the TA developers need to make best efforts to map
  • Prescribed fields are the permitted values that can populate the fields, which are derived from the "expected_values" JSON parameter
  • Other values are other example values that you might see
Object name Field name Data type Description Abbreviated list of example values
All_Performance dest string The system where the event occurred, usually a facilities resource such as a rack or room. You can alias this from more specific fields in your event data, such as dest_host, dest_ip, or dest_name. recommended
All_Performance dest_bunit string The business unit of the system where the event occurred.

This field is automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for this field when writing add-ons.
All_Performance dest_category string The category of the system where the event occurred.

This field is automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for this field when writing add-ons.
All_Performance dest_priority string The priority of the system where the performance event occurred.
All_Performance dest_should_timesync boolean Indicates whether or not the system where the performance event occurred should time sync.

This field is automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for this field when writing add-ons.
All_Performance dest_should_update boolean Indicates whether or not the system where the performance event occurred should update.

This field is automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for this field when writing add-ons.
All_Performance hypervisor_id string The ID of the virtualization hypervisor.
All_Performance resource_type string The type of facilities resource involved in the performance event, such as a rack, room, or system.
All_Performance tag string This automatically generated field is used to access tags from within data models. Do not define extractions for this field when writing add-ons.
CPU cpu_load_mhz number The amount of CPU load reported by the controller in megahertz.
CPU cpu_load_percent number The amount of CPU load reported by the controller in percentage points. recommended
CPU cpu_time number The number of CPU seconds consumed by processes.
CPU cpu_user_percent number Percentage of CPU user time consumed by processes.
Facilities fan_speed number The speed of the cooling fan in the facilities resource, in rotations per second.
Facilities power number Amount of power consumed by the facilities resource, in kW/h.
Facilities temperature number Average temperature of the facilities resource, in °C. recommended
Memory mem number The total amount of memory capacity reported by the resource, in megabytes. recommended
Memory mem_committed number The committed amount of memory reported by the resource, in megabytes.
Memory mem_free number The free amount of memory reported by the resource, in megabytes. recommended
Memory mem_used number The used amount of memory reported by the resource, in megabytes. recommended
Memory swap number The total swap space size, in megabytes, if applicable.
Memory swap_free number The free swap space size, in megabytes, if applicable.
Memory swap_used number The used swap space size, in megabytes, if applicable.
Storage array number The array that the resource is a member of, if applicable.
Storage blocksize number Block size used by the storage resource, in kilobytes.
Storage cluster string The cluster that the resource is a member of, if applicable.
Storage fd_max number The maximum number of available file descriptors.
Storage fd_used number The current number of open file descriptors.
Storage latency number The latency reported by the resource, in milliseconds.
Storage mount string The mount point of a storage resource.
Storage parent string A generic indicator of hierarchy. For instance, a disk event might include the array ID here.
Storage read_blocks number Number of blocks read.
Storage read_latency number The latency of read operations, in milliseconds.
Storage read_ops number Number of read operations.
Storage storage number The total amount of storage capacity reported by the resource, in megabytes.
Storage storage_free number The free amount of storage capacity reported by the resource, in megabytes. recommended
Storage storage_free_percent number The percentage of storage capacity reported by the resource that is free. recommended
Storage storage_used number The used amount of storage capacity reported by the resource, in megabytes. recommended
Storage storage_used_percent number The percentage of storage capacity reported by the resource that is used. recommended
Storage write_blocks number The number of blocks written by the resource.
Storage write_latency number The latency of write operations, in milliseconds.
Storage write_ops number The total number of write operations processed by the resource.
Network thruput number The current throughput reported by the service, in bytes. recommended
Network thruput_max number The maximum possible throughput reported by the service, in bytes.
OS signature string The event description signature, if available. recommended
Timesync action string The result of a time sync event.
  • recommended
  • prescribed fields:
    success, failure
Uptime uptime number The uptime of the compute resource, in seconds. recommended
Last modified on 13 August, 2020
Network Traffic   Splunk Audit Logs

This documentation applies to the following versions of Splunk® Common Information Model Add-on: 4.16.0, 4.17.0


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters