Change
The Change data model replaces the Change Analysis data model, which is deprecated as of software version 4.12.0.
The fields in the Change data model describe Create
, Read
, Update
, and Delete
activities from any data source.
Note: A dataset is a component of a data model. In versions of the Splunk platform prior to version 6.5.0, these were referred to as data model objects.
Tags used with Change event datasets
The following tags act as constraints to identify your events as being relevant to this data model. For more information, see How to use these reference tables.
Dataset name | Tag name |
---|---|
All_Changes | change |
|
audit |
|
endpoint |
|
network |
|
account |
Fields for Change event dataset
The following table lists the extracted and calculated fields for the event datasets in the model. The table does not include any inherited fields. For more information, see How to use these reference tables.
The key for using the column titled "Abbreviated list of example values" follows:
- Recommended are fields derived from the "recommended=true" JSON parameter that the TA developers need to make best efforts to map
- Prescribed fields are the permitted values that can populate the fields, which are derived from the "expected_values" JSON parameter
- Other values are other example values that you might see
Dataset name | Field name | Data type | Description | Abbreviated list of example values |
---|---|---|---|---|
All_Changes | action
|
string | The action attempted on the resource, regardless of success or failure. |
|
All_Changes | change_type
|
string | The type of change, such as filesystem or AAA (authentication, authorization, and accounting).
|
|
All_Changes | command
|
string | The command that initiated the change. | recommended |
All_Changes | dest
|
string | The resource where change occurred. You can alias this from more specific fields not included in this data model, such as dest_host , dest_ip , or dest_name .
|
recommended |
All_Changes | dest_bunit
|
string | These fields are automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for these fields when writing add-ons. | |
All_Changes | dest_category
|
string | ||
All_Changes | dest_priority
|
string | ||
All_Changes | dvc
|
string | The device that reported the change, if applicable, such as a FIP or CIM server. You can alias this from more specific fields not included in this data model, such as dvc_host , dvc_ip , or dvc_name .
|
recommended |
All_Changes | object
|
string | Name of the affected object on the resource (such as a router interface, user account, or server volume). | recommended |
All_Changes | object_attrs
|
string | The attributes that were updated on the updated resource object, if applicable. | recommended |
All_Changes | object_category
|
string | Generic name for the class of the updated resource object. Expected values may be specific to an app. |
|
All_Changes | object_id
|
string | The unique updated resource object ID as presented to the system, if applicable (for instance, a SID, UUID, or GUID value). | recommended |
All_Changes | object_path
|
string | The path of the modified resource object, if applicable (such as a file, directory, or volume). | recommended |
All_Changes | result
|
string | The vendor-specific result of a change, or clarification of an action status. For instance, status=failure may be accompanied by result=blocked by policy or result=disk full . result is a string. Please use a msg_severity_id field (not included in the data model) for severity ID fields that are integer data types.
|
|
All_Changes | result_id
|
string | A result indicator for an action status.
|
recommended |
All_Changes | src
|
string | The resource where the change was originated. You can alias this from more specific fields not included in the data model, such as src_host , src_ip , or src_name .
|
recommended |
All_Changes | src_bunit
|
string | These fields are automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for these fields when writing add-ons. | |
All_Changes | src_category
|
string | ||
All_Changes | src_priority
|
string | ||
All_Changes | status
|
string | Status of the update. |
|
All_Changes | tag
|
string | This automatically generated field is used to access tags from within datamodels. Do not define extractions for this field when writing add-ons. | |
All_Changes | user
|
string | The user or entity performing the change. For account changes, this is the account that was changed. See src_user for user or entity performing the change.
|
recommended |
All_Changes | user_agent
|
string | The user agent through which the request was made, such as Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) or aws-cli/2.0.0 Python/3.7.4 Darwin/18.7.0 botocore/2.0.0dev4 .
|
|
All_Changes | user_type
|
string | The type of the user involved in the event or who initiated the event, such as IAMUser, Admin, or System. For account management events, this should represent the type of the user changed by the request. | |
All_Changes | vendor_account
|
string | The account that manages the user that initiated the request. | |
All_Changes | vendor_product
|
string | The vendor and product or service that detected the change. This field can be automatically populated by vendor and product fields in your data.
|
recommended |
Account_Management | dest_nt_domain
|
string | The NT domain of the destination, if applicable. | recommended |
Account_Management | src_nt_domain
|
string | The NT domain of the source, if applicable. | recommended |
Account_Management | src_user
|
string | For account changes, the user or entity performing the change. | recommended |
Account_Management | src_user_bunit
|
string | These fields are automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for this field when writing add-ons. | |
Account_Management | src_user_category
|
string | ||
Account_Management | src_user_priority
|
string | ||
Account_Management | src_user_type
|
string | For account changes, this should represent the type of the user or entity performing the change. |
Certificates | Change Analysis (deprecated) |
This documentation applies to the following versions of Splunk® Common Information Model Add-on: 4.17.0
Feedback submitted, thanks!