Updates
The fields in the Updates data model describe patch management events from individual systems or central management tools.
Tags used with the Updates event and search objects
The following tags act as constraints to identify your events as being relevant to this data model. For more information, see "How to use these reference tables".
Object name | Tag name |
---|---|
Updates | update |
status | |
Update_Errors | update |
error |
Fields for the Updates event objects and Update_Errors search object
The following table lists the extracted and calculated fields for the event objects and search object in the model. Note that it does not include any inherited fields. For more information, see "How to use these reference tables".
Object name | Field name | Data type | Description | Possible values |
---|---|---|---|---|
Updates | dest
|
string | The system that is affected by the patch change. May be aliased from more specific fields, such as dest_host , dest_ip , or dest_name .
|
|
Updates | dest_bunit
|
string | These are derived fields provided by Asset and Identity correlation features of certain advanced applications like the Splunk App for Enterprise Security. They should be left blank when writing add-ons. | |
Updates | dest_category
|
string | ||
Updates | dest_priority
|
string | ||
Updates | dest_should_update
|
boolean | ||
Updates | dvc
|
string | The device that detected the patch event, such as a patching or configuration management server. May be aliased from more specific fields, such as dvc_host , dvc_ip , or dvc_name .
|
|
Updates | file_hash
|
string | The checksum of the patch package that was installed or attempted. | |
Updates | file_name
|
string | The name of the patch package that was installed or attempted. | |
Updates | signature
|
string | The name of the patch requirement detected on the client (the dest), such as MS08-067 or RHBA-2013:0739 .Note: This is a string value. Please use signature_id for numeric indicators.
|
|
Updates | signature_id
|
int | The numeric ID of the intrusion detected on the client (the src). Note: This is an integer value. Please use signature_id for human-readable signature names.
|
|
Updates | status
|
string | Indicates the status of a given patch requirement. | available , installed , invalid , reboot_required , unknown
|
Updates | tag
|
string | This automatically generated field is used to access tags from within datamodels. Add-on builders do not need to populate it. | |
Updates | vendor_product
|
string | The vendor and product of the patch monitoring product, such as Lumension Patch Manager . You can extract this from the fields vendor and product in the raw event data, if available.
|
Ticket Management | Vulnerabilities |
This documentation applies to the following versions of Splunk® Common Information Model Add-on: 4.0.0, 4.1.0, 4.1.1, 4.2.0
Feedback submitted, thanks!