Web
The fields in the Web data model describe web server and/or proxy server data in a security or operational context.
Note: A dataset is a component of a data model. In versions of the Splunk platform prior to version 6.5.0, these were referred to as data model objects.
Tags used with the Web event datasets
The following tags act as constraints to identify your events as being relevant to this data model. For more information, see How to use these reference tables.
Dataset name | Tag name |
---|---|
Web | web |
|
proxy |
|
storage |
Fields for Web event datasets
The following table lists the extracted and calculated fields for the event datasets in the model. Note that it does not include any inherited fields. For more information, see How to use these reference tables.
The key for using the column titled "Notes" or "Abbreviated list of example values" is as follows:
- Recommended: Add-on developers make their best effort attempts to map these event fields. If these fields are not populated, then the event is not very useful.
- Required: Add-on developers must map these event fields when using the pytest-splunk-addon to test for CIM compatibility. See pytest-splunk-addon documentation.
- Prescribed values: Permitted values that can populate the fields, which Splunk is using for a particular purpose. Other valid values exist, but Splunk is not relying on them.
- Other values: Other example values that you might see.
Dataset name | Field name | Data type | Description | Abbreviated list of example values |
---|---|---|---|---|
Web | action
|
string | The action taken by the server or proxy. |
|
Web | app
|
string | The application detected or hosted by the server/site such as WordPress, Splunk, or Facebook. | |
Web | bytes
|
number | The total number of bytes transferred (bytes_in + bytes_out ).
|
|
Web | bytes_in
|
number | The number of inbound bytes transferred. |
|
Web | bytes_out
|
number | The number of outbound bytes transferred. |
|
Web | cached
|
boolean | Indicates whether the event data is cached or not. | prescribed values:true , false , 1 , 0
|
Web | category
|
string | The category of traffic, such as may be provided by a proxy server. | required for pytest-splunk-addon |
Web | cookie
|
string | The cookie file recorded in the event. | |
Web | dest
|
string | The destination of the network traffic (the remote host). You can alias this from more specific fields, such as dest_host , dest_ip , or dest_name .
|
|
Web | dest_bunit
|
string | These fields are automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for these fields when writing add-ons. | |
Web | dest_category
|
string | ||
Web | dest_priority
|
string | ||
Web | dest_port
|
number | The destination port of the web traffic. | required for pytest-splunk-addon |
Web | duration
|
number | The time taken by the proxy event, in milliseconds. | |
Web | http_content_type
|
string | The content-type of the requested HTTP resource. | recommended |
Web | http_method
|
string | The HTTP method used in the request. |
|
Web | http_referrer
|
string | The HTTP referrer used in the request. The W3C specification and many implementations misspell this as http_referer . Use a FIELDALIAS to handle both key names.
|
recommended |
Web | http_referrer_domain
|
string | The domain name contained within the HTTP referrer used in the request. | recommended |
Web | http_user_agent
|
string | The user agent used in the request. |
|
Web | http_user_agent_length
|
number | The length of the user agent used in the request. | required for pytest-splunk-addon |
Web | response_time
|
number | The amount of time it took to receive a response, if applicable, in milliseconds. | |
Web | site
|
string | The virtual site which services the request, if applicable. | |
Web | src
|
string | The source of the network traffic (the client requesting the connection). |
|
Web | src_bunit
|
string | These fields are automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for these fields when writing add-ons. | |
Web | src_category
|
string | ||
Web | src_priority
|
string | ||
Web | status
|
string | The HTTP response code indicating the status of the proxy request. |
|
Web | tag
|
string | This automatically generated field is used to access tags from within datamodels. Do not define extractions for this field when writing add-ons. | |
Web | uri_path
|
string | The path of the resource served by the webserver or proxy. | other:/CertEnroll/Blue%20Coat%20Systems
|
Web | uri_query
|
string | The path of the resource requested by the client. | other:?return_to=%2Fen-US%2Fapp%2Fsimple_xml_examples%2Fcustom_viz_
|
Web | url
|
string | The URL of the requested HTTP resource. |
|
Web | url_domain
|
string | The domain name contained within the URL of the requested HTTP resource. | recommended |
Web | url_length
|
number | The length of the URL. | |
Web | user
|
string | The user that requested the HTTP resource. | recommended |
Web | user_bunit
|
string | These fields are automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for these fields when writing add-ons. | |
Web | user_category
|
string | ||
Web | user_priority
|
string | ||
Web | vendor_product
|
string | The vendor and product of the proxy server, such as Squid Proxy Server . This field can be automatically populated by vendor and product fields in your data.
|
recommended |
Storage | error_code
|
string | The error code that occurred while accessing the storage account. | other: NoSuchBucket
|
Storage | operation
|
string | The operation performed on the storage account. | other: REST.PUT.OBJECT
|
Storage | storage_name
|
string | The name of the bucket or storage account. | other: es-csm-files
|
Vulnerabilities | Approaches to using the CIM |
This documentation applies to the following versions of Splunk® Common Information Model Add-on: 4.19.0, 4.20.0, 4.20.2
Feedback submitted, thanks!