Splunk® Common Information Model Add-on

Common Information Model Add-on Manual

This documentation does not apply to the most recent version of Splunk® Common Information Model Add-on. For documentation on the most recent version, go to the latest release.

Updates

The fields in the Updates data model describe patch management events from individual systems or central management tools.

Tags used with the Updates event and search objects

The following tags act as constraints to identify your events as being relevant to this data model. For more information, see "How to use these reference tables".

Object name Tag name
Updates update
status
Update_Errors update
error

Fields for the Updates event objects and Update_Errors search object

The following table lists the extracted and calculated fields for the event objects and search object in the model. Note that it does not include any inherited fields. For more information, see "How to use these reference tables".

Object name Field name Data type Description Possible values
Updates dest string The system that is affected by the patch change. May be aliased from more specific fields, such as dest_host, dest_ip, or dest_name.
Updates dest_bunit string These are derived fields provided by Asset and Identity correlation features of certain advanced applications like the Splunk App for Enterprise Security. They should be left blank when writing add-ons.
Updates dest_category string
Updates dest_priority string
Updates dest_should_update boolean
Updates dvc string The device that detected the patch event, such as a patching or configuration management server. May be aliased from more specific fields, such as dvc_host, dvc_ip, or dvc_name.
Updates file_hash string The checksum of the patch package that was installed or attempted.
Updates file_name string The name of the patch package that was installed or attempted.
Updates signature string The name of the patch requirement detected on the client (the dest), such as MS08-067 or RHBA-2013:0739.

Note: This is a string value. Please use signature_id for numeric indicators.
Updates signature_id int The numeric ID of the intrusion detected on the client (the src).

Note: This is an integer value. Please use signature_id for human-readable signature names.
Updates status string Indicates the status of a given patch requirement. available, installed, invalid, reboot_required, unknown
Updates tag string This automatically generated field is used to access tags from within datamodels. Add-on builders do not need to populate it.
Updates vendor_product string The vendor and product of the patch monitoring product, such as Lumension Patch Manager. You can extract this from the fields vendor and product in the raw event data, if available.
Last modified on 11 February, 2016
Ticket Management   Vulnerabilities

This documentation applies to the following versions of Splunk® Common Information Model Add-on: 4.0.0, 4.1.0, 4.1.1, 4.2.0


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters