This documentation does not apply to the most recent version of Splunk® Common Information Model Add-on.
For documentation on the most recent version, go to the latest release.
Splunk Audit Logs
The fields in the Splunk Audit Logs data model describe audit information for systems producing event logs. This data model does not employ any tags.
Fields for the View_Activity event object and the search objects
The following table lists the extracted and calculated fields for the event object and search objects in the model. The table does not include any inherited fields. For more information, see How to use these reference tables.
| Object name | Field name | Data type | Description | Expected values |
|---|---|---|---|---|
| View_Activity | app
|
string | The app name which contains the view. | |
| View_Activity | user
|
string | The username of the user who accessed the view. | |
| View_Activity | view
|
string | The name of the view. | |
| Datamodel_Acceleration | access_count
|
number | The number of times the data model summary has been accessed since it was created. | |
| Datamodel_Acceleration | access_time
|
time | The timestamp of the most recent access of the data model summary. | |
| Datamodel_Acceleration | app
|
string | The application context in which the data model summary was accessed. | |
| Datamodel_Acceleration | buckets
|
number | The number of index buckets spanned by the data model acceleration summary. | |
| Datamodel_Acceleration | buckets_size
|
number | The total size of the bucket(s) spanned by the data model acceleration summary. | |
| Datamodel_Acceleration | complete
|
number | The percentage of the data model summary that is currently complete. | 0-100
|
| Datamodel_Acceleration | cron
|
string | The cron expression used to accelerate the data model. | |
| Datamodel_Acceleration | datamodel
|
string | The name of the data model accelerated. | |
| Datamodel_Acceleration | digest
|
string | A hash of the current data model contents. | |
| Datamodel_Acceleration | earliest
|
time | The earliest time that the data model summary was accessed. | |
| Datamodel_Acceleration | is_inprogress
|
boolean | Indicates whether the data model acceleration is currently in progress. | true, false, 1, 0
|
| Datamodel_Acceleration | last_error
|
string | The text of the last error reported during the data model acceleration. | |
| Datamodel_Acceleration | last_sid
|
string | The search id of the last acceleration attempt. | |
| Datamodel_Acceleration | latest
|
time | The most recent acceleration timestamp of the data model. | |
| Datamodel_Acceleration | mod_time
|
time | The timestamp of the most recent modification to the data model acceleration. | |
| Datamodel_Acceleration | retention
|
number | The length of time that data model accelerations are retained. | |
| Datamodel_Acceleration | size
|
number | The amount of storage space the data model's acceleration summary takes up, in megabytes. | |
| Datamodel_Acceleration | summary_id
|
string | The unique id of the data model acceleration summary. | |
| Search_Activity | host
|
string | The host on which the search occurred. | |
| Search_Activity | info
|
string | The action of the search (granted, completed, cancelled, failed). | |
| Search_Activity | search
|
string | The search string. | |
| Search_Activity | search_type
|
string | The type of search. | |
| Search_Activity | source
|
string | The source associated with the search. | |
| Search_Activity | sourcetype
|
string | The sourcetype(s) included in the search. | |
| Search_Activity | user
|
string | The name of the user who ran the search. | |
| Search_Activity | user_bunit
|
string | The business unit of the user who ran the search. | |
| Search_Activity | user_category
|
string | The category of the user who ran the search. | |
| Search_Activity | user_priority
|
string | The priority of the user who ran the search. | |
| Scheduler_Activity | app
|
string | The app context in which the scheduled search was run. | |
| Scheduler_Activity | host
|
string | The host on which the scheduled search was run. | |
| Scheduler_Activity | savedsearch_name
|
string | The name of the saved search. | |
| Scheduler_Activity | sid
|
string | The search id. | |
| Scheduler_Activity | source
|
string | The source associated with the scheduled search. | |
| Scheduler_Activity | sourcetype
|
string | The sourcetype associated with the scheduled search. | |
| Scheduler_Activity | splunk_server
|
string | The Splunk Server on which the scheduled search runs. | |
| Scheduler_Activity | status
|
string | The status of the scheduled search. | |
| Scheduler_Activity | user
|
string | The user who scheduled the search. | |
| Web_Service_Errors | host
|
string | The host on which the web service error occurred. | |
| Web_Service_Errors | source
|
string | The source where the web service error occurred. | |
| Web_Service_Errors | sourcetype
|
string | The sourcetype associated with the web service error. | |
| Web_Service_Errors | event_id
|
string | The unique event_id for the web service error event. |
Last modified on 15 December, 2016
| Performance | Ticket Management |
This documentation applies to the following versions of Splunk® Common Information Model Add-on: 4.1.0, 4.1.1, 4.2.0, 4.3.0, 4.3.1, 4.4.0
Download manual
Feedback submitted, thanks!