Splunk® Common Information Model Add-on

Common Information Model Add-on Manual

Acrobat logo Download manual as PDF

This documentation does not apply to the most recent version of CIM. Click here for the latest version.
Acrobat logo Download topic as PDF


The fields in the Updates data model describe patch management events from individual systems or central management tools.

Note: A dataset is a component of a data model. In versions of the Splunk platform prior to version 6.5.0, these were referred to as data model objects.

Tags used with the Updates event and search datasets

The following tags act as constraints to identify your events as being relevant to this data model. For more information, see How to use these reference tables.

Dataset name Tag name
Updates update
Update_Errors update

Fields for the Updates event datasets and Update_Errors search dataset

The following table lists the extracted and calculated fields for the event datasets and search dataset in the model. The table does not include any inherited fields. For more information, see How to use these reference tables.

The key for using the column titled "Abbreviated list of example values" follows:

  • Recommended are fields derived from the "recommended=true" JSON parameter that the TA developers need to make best efforts to map
  • Prescribed fields are the permitted values that can populate the fields, which are derived from the "expected_values" JSON parameter
  • Other values are other example values that you might see
Dataset name Field name Data type Description Abbreviated list of example values
Updates dest string The system that is affected by the patch change. You can alias this from more specific fields, such as dest_host, dest_ip, or dest_name. recommended
Updates dest_bunit string These fields are automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for these fields when writing add-ons.
Updates dest_category string
Updates dest_priority string
Updates dest_should_update boolean
Updates dvc string The device that detected the patch event, such as a patching or configuration management server. You can alias this from more specific fields, such as dvc_host, dvc_ip, or dvc_name.
Updates file_hash string The checksum of the patch package that was installed or attempted.
Updates file_name string The name of the patch package that was installed or attempted.
Updates severity string The severity associated with the patch event. prescribed fields:
critical, high, medium, low, informational
Updates signature string The name of the patch requirement detected on the client (the dest), such as MS08-067 or RHBA-2013:0739.

Note: This is a string value. Use signature_id for numeric indicators.
Updates signature_id int The ID of the patch requirement detected on the client (the src).

Note: Use signature for human-readable signature names.
Updates status string Indicates the status of a given patch requirement.
  • recommended
  • prescribed fields:
    available, installed, invalid, "restart required"
Updates tag string This automatically generated field is used to access tags from within datamodels. Do not define extractions for this field when writing add-ons.
Updates vendor_product string The vendor and product of the patch monitoring product, such as Lumension Patch Manager. This field can be automatically populated by vendor and product fields in your data. recommended
Last modified on 14 August, 2020
Ticket Management

This documentation applies to the following versions of Splunk® Common Information Model Add-on: 4.16.0, 4.17.0

Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters