Splunk® Common Information Model Add-on

Common Information Model Add-on Manual

This documentation does not apply to the most recent version of Splunk® Common Information Model Add-on. For documentation on the most recent version, go to the latest release.

Application State (deprecated)

This data model is deprecated as of software version 4.12.0. Use the Endpoint data model instead.

The fields and tags in the Application State data model describe service or process inventory and state, such as Unix daemons, Windows services, running processes on any OS, or similar systems.

Note: A dataset is a component of a data model. In versions of the Splunk platform prior to version 6.5.0, these were referred to as data model objects.

Tags used with Application State event datasets

The following tags act as constraints to identify your events as being relevant to this data model. For more information, see How to use these reference tables.

Dataset name Tag name
All_Application_State (listening, port) OR (process, report) OR (service, report)
|____ Ports
listening
port
|____ Processes
process
report
|____ Services
service
report

Fields for Application State event datasets

The following table lists the extracted and calculated fields for the event datasets in the model. Note that it does not include any inherited fields. For more information, see How to use these reference tables.

Dataset name Field name Data type Description Expected values
All_Application_State dest string The compute resource where the service is installed. You can alias this from more specific fields, such as dest_host, dest_ip, or dest_name.
All_Application_State dest_bunit string These fields are automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for these fields when writing add-ons.
All_Application_State dest_category string
All_Application_State dest_priority string
All_Application_State dest_requires_av boolean
All_Application_State dest_should_timesync boolean
All_Application_State dest_should_update boolean
All_Application_State process string The name of a process or service file, such as sqlsrvr.exe or httpd.

Note: This field is not appropriate for service or daemon names, such as SQL Server or Apache Web Server. Service or daemon names belong to the service field (see below).
All_Application_State process_name string The name of a process.
All_Application_State tag string This automatically generated field is used to access tags from within data models. Do not define extractions for this field when writing add-ons.
All_Application_State user string The user account the service is running as, such as System or httpdsvc.
All_Application_State user_bunit string These fields are automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for these fields when writing add-ons.
All_Application_State user_category string
All_Application_State user_priority string
Ports dest_port number Network ports communicated to by the process, such as 53.
Ports transport string The network ports listened to by the application process, such as tcp, udp, etc.
Ports transport_dest_port string Calculated as transport/dest_port, such as tcp/53.
Processes cpu_load_mhz number CPU Load in megahertz
Processes cpu_load_percent number CPU Load in percent
Processes cpu_time string CPU Time
Processes mem_used number Memory used in bytes
Services service string The name of the service, such as SQL Server or Apache Web Server.

Note: This field is not appropriate for filenames, such as sqlsrvr.exe or httpd. Filenames should belong to the process field instead. Also, note that field is a string. Use the service_id field for service ID fields that are integer data types.
Services service_id string A numeric indicator for a service.
Services start_mode string The start mode for the service. disabled, manual, auto.
Services status string The status of the service. critical, started, stopped, warning
Last modified on 22 November, 2021
Alerts   Authentication

This documentation applies to the following versions of Splunk® Common Information Model Add-on: 5.0.0


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters