This documentation does not apply to the most recent version of Splunk® Common Information Model Add-on.
For documentation on the most recent version, go to the latest release.
Performance
The fields in the Performance data model describe performance tracking data.
Note: A dataset is a component of a data model. In versions of the Splunk platform prior to version 6.5.0, these were referred to as data model objects.
Tags used with Performance event datasets
The following tags act as constraints to identify your events as being relevant to this data model. For more information, see How to use these reference tables.
| Dataset name | Tag name |
|---|---|
| All_Performance | performance |
| cpu OR facilities OR memory OR storage OR network OR (os, (uptime OR (time, synchronize))) | |
|
cpu |
|
facilities |
|
memory |
|
storage |
|
network |
|
os |
|
uptime |
|
time |
| synchronize |
Fields for Performance event datasets
The following table lists the extracted and calculated fields for the event datasets in the model. The table does not include any inherited fields. For more information, see How to use these reference tables.
| Object name | Field name | Data type | Description | Abbreviated list of example values |
|---|---|---|---|---|
| All_Performance | dest
|
string | The system where the event occurred, usually a facilities resource such as a rack or room. You can alias this from more specific fields in your event data, such as dest_host, dest_ip, or dest_name.
|
|
| All_Performance | dest_bunit
|
string | The business unit of the system where the event occurred. This field is automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for this field when writing add-ons. |
|
| All_Performance | dest_category
|
string | The category of the system where the event occurred. This field is automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for this field when writing add-ons. |
|
| All_Performance | dest_priority
|
string | The priority of the system where the performance event occurred. | |
| All_Performance | dest_should_timesync
|
boolean | Indicates whether or not the system where the performance event occurred should time sync. This field is automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for this field when writing add-ons. |
|
| All_Performance | dest_should_update
|
boolean | Indicates whether or not the system where the performance event occurred should update. This field is automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for this field when writing add-ons. |
|
| All_Performance | hypervisor_id
|
string | The ID of the virtualization hypervisor. | |
| All_Performance | resource_type
|
string | The type of facilities resource involved in the performance event, such as a rack, room, or system.
|
|
| All_Performance | tag
|
string | This automatically generated field is used to access tags from within data models. Do not define extractions for this field when writing add-ons. | |
| CPU | cpu_load_mhz
|
number | The amount of CPU load reported by the controller in megahertz. | |
| CPU | cpu_load_percent
|
number | The amount of CPU load reported by the controller in percentage points. | |
| CPU | cpu_time
|
number | The number of CPU seconds consumed by processes. | |
| CPU | cpu_user_percent
|
number | Percentage of CPU user time consumed by processes. | |
| Facilities | fan_speed
|
number | The speed of the cooling fan in the facilities resource, in rotations per second. | |
| Facilities | power
|
number | Amount of power consumed by the facilities resource, in kW/h. | |
| Facilities | temperature
|
number | Average temperature of the facilities resource, in °C. | |
| Memory | mem
|
number | The total amount of memory capacity reported by the resource, in megabytes. | |
| Memory | mem_committed
|
number | The committed amount of memory reported by the resource, in megabytes. | |
| Memory | mem_free
|
number | The free amount of memory reported by the resource, in megabytes. | |
| Memory | mem_used
|
number | The used amount of memory reported by the resource, in megabytes. | |
| Memory | swap
|
number | The total swap space size, in megabytes, if applicable. | |
| Memory | swap_free
|
number | The free swap space size, in megabytes, if applicable. | |
| Memory | swap_used
|
number | The used swap space size, in megabytes, if applicable. | |
| Storage | array
|
number | The array that the resource is a member of, if applicable. | |
| Storage | blocksize
|
number | Block size used by the storage resource, in kilobytes. | |
| Storage | cluster
|
string | The cluster that the resource is a member of, if applicable. | |
| Storage | fd_max
|
number | The maximum number of available file descriptors. | |
| Storage | fd_used
|
number | The current number of open file descriptors. | |
| Storage | latency
|
number | The latency reported by the resource, in milliseconds. | |
| Storage | mount
|
string | The mount point of a storage resource. | |
| Storage | parent
|
string | A generic indicator of hierarchy. For instance, a disk event might include the array ID here. | |
| Storage | read_blocks
|
number | Number of blocks read. | |
| Storage | read_latency
|
number | The latency of read operations, in milliseconds. | |
| Storage | read_ops
|
number | Number of read operations. | |
| Storage | storage
|
number | The total amount of storage capacity reported by the resource, in megabytes. | |
| Storage | storage_free
|
number | The free amount of storage capacity reported by the resource, in megabytes. | |
| Storage | storage_free_percent
|
number | The percentage of storage capacity reported by the resource that is free. | |
| Storage | storage_used
|
number | The used amount of storage capacity reported by the resource, in megabytes. | |
| Storage | storage_used_percent
|
number | The percentage of storage capacity reported by the resource that is used. | |
| Storage | write_blocks
|
number | The number of blocks written by the resource. | |
| Storage | write_latency
|
number | The latency of write operations, in milliseconds. | |
| Storage | write_ops
|
number | The total number of write operations processed by the resource. | |
| Network | thruput
|
number | The current throughput reported by the service, in bytes. | |
| Network | thruput_max
|
number | The maximum possible throughput reported by the service, in bytes. | |
| OS | signature
|
string | The event description signature, if available. | |
| Timesync | action
|
string | The result of a time sync event. | Prescribed fields:success, failure
|
| Uptime | uptime
|
number | The uptime of the compute resource, in seconds. |
Last modified on 07 May, 2020
| Network Traffic | Splunk Audit Logs |
This documentation applies to the following versions of Splunk® Common Information Model Add-on: 4.4.0, 4.5.0, 4.6.0, 4.7.0, 4.8.0, 4.9.0, 4.9.1, 4.10.0, 4.11.0, 4.12.0, 4.13.0, 4.14.0, 4.15.0
Download manual
Feedback submitted, thanks!