Performance
The fields in the Performance data model describe performance tracking data.
Tags used with Performance event objects
The following tags act as constraints to identify your events as being relevant to this data model. For more information, see "How to use these reference tables."
Object name | Tag name |
---|---|
All_Performance | performance |
|
cpu |
|
facilities |
|
memory |
|
storage |
|
network |
|
os |
|
uptime |
|
time |
synchronize |
Fields for Performance event objects
The following table lists the extracted and calculated fields for the event objects in the model. The teble does not include any inherited fields. For more information, see "How to use these reference tables."
Object name | Field name | Data type | Description | Possible values |
---|---|---|---|---|
All_Performance | dest
|
string | The system where the event occurred, usually a facilities resource such as a rack or room. You can alias this from more specific fields, such as dest_host , dest_ip , or dest_name .
|
|
All_Performance | dest_bunit
|
string | The business unit of the system where the event occurred. This field is automatically provided by Asset and Identity correlation features of applications like the Splunk App for Enterprise Security. |
|
All_Performance | dest_category
|
string | The category of the system where the event occurred. This field is automatically provided by Asset and Identity correlation features of applications like the Splunk App for Enterprise Security. |
|
All_Performance | dest_priority
|
string | The priority of the system where the performance event occurred. | |
All_Performance | dest_should_timesync
|
boolean | Indicates whether or not the system where the performance event occurred should time sync. This field is automatically provided by Asset and Identity correlation features of applications like the Splunk App for Enterprise Security. |
|
All_Performance | dest_should_update
|
boolean | Indicates whether or not the system where the performance event occurred should update. This field is automatically provided by Asset and Identity correlation features of applications like the Splunk App for Enterprise Security. |
|
All_Performance | hypervisor_id
|
string | The ID of the virtualization hypervisor. | |
All_Performance | resource_type
|
string | The type of facilities resource involved in the performance event, such as a rack , room , or system .
|
|
All_Performance | tag
|
string | A tag associated with the performance event. | |
CPU | cpu_load_mhz
|
number | The amount of CPU load reported by the controller in megahertz. | |
CPU | cpu_load_percent
|
number | The amount of CPU load reported by the controller in percentage points. | |
CPU | cpu_time
|
number | The number of CPU seconds consumed by processes. | |
CPU | cpu_user_percent
|
number | Percentage of CPU user time consumed by processes. | |
Facilities | fan_speed
|
number | The speed of the cooling fan in the facilities resource, in rotations per second. | |
Facilities | power
|
number | Amount of power consumed by the facilities resource, in Kw/h. | |
Facilities | temperature
|
number | Average temperature of the facilities resource, in °C. | |
Memory | mem
|
number | The total amount of memory capacity reported by the resource, in megabytes. | |
Memory | mem_committed
|
number | The committed amount of memory reported by the resource, in megabytes. | |
Memory | mem_free
|
number | The free amount of memory reported by the resource, in megabytes. | |
Memory | mem_used
|
number | The used amount of memory reported by the resource, in megabytes. | |
Memory | swap
|
number | The total swap space size, in megabytes, if applicable. | |
Memory | swap_free
|
number | The free swap space size, in megabytes, if applicable. | |
Memory | swap_used
|
number | The used swap space size, in megabytes, if applicable. | |
Storage | array
|
number | The array that the resource is a member of, if applicable. | |
Storage | blocksize
|
number | Block size used by the storage resource, in kilobytes. | |
Storage | cluster
|
string | The cluster that the resource is a member of, if applicable. | |
Storage | fd_max
|
number | The maximum number of available file descriptors. | |
Storage | fd_used
|
number | The current number of open file descriptors. | |
Storage | latency
|
number | The latency reported by the resource, in milliseconds. | |
Storage | mount
|
string | The mount point of a storage resource. | |
Storage | parent
|
string | A generic indicator of hierarchy. For instance, a disk event might include the array id here. | |
Storage | read_blocks
|
number | Number of blocks read. | |
Storage | read_latency
|
number | The latency of read operations, in milliseconds. | |
Storage | read_ops
|
number | Number of read operations. | |
Storage | storage
|
number | The total amount of storage capacity reported by the resource, in megabytes. | |
Storage | storage_free
|
number | The free amount of storage capacity reported by the resource, in megabytes. | |
Storage | storage_free_percent
|
number | The percentage of storage capacity reported by the resource that is free. | |
Storage | storage_used
|
number | The used amount of storage capacity reported by the resource, in megabytes. | |
Storage | storage_used_percent
|
number | The percentage of storage capacity reported by the resource that is used. | |
Storage | write_blocks
|
number | The number of blocks written by the resource. | |
Storage | write_latency
|
number | The latency of write operations, in milliseconds. | |
Storage | write_ops
|
number | The total number of write operations processed by the resource. | |
Network | thruput
|
number | The current throughput reported by the service, in bytes. | |
Network | thruput_max
|
number | The maximum possible throughput reported by the service, in bytes. | |
OS | signature
|
string | The event description signature, if available. | |
Timesync | action
|
string | The result of a time sync event. | success , failure , unknown
|
Uptime | uptime
|
number | The uptime of the compute resource, in seconds. |
Network Traffic | Splunk Audit Logs |
This documentation applies to the following versions of Splunk® Common Information Model Add-on: 4.0.0, 4.1.0, 4.1.1, 4.2.0, 4.3.0, 4.3.1
Feedback submitted, thanks!