Splunk Audit Logs
The fields in the Splunk Audit Logs data model describe audit information for systems producing event logs.
Note: A dataset is a component of a data model. In versions of the Splunk platform prior to version 6.5.0, these were referred to as data model objects.
Tags used with the Audit event datasets
The following tags act as constraints to identify your events as being relevant to the Modular_Actions dataset in this data model. For more information, see How to use these reference tables.
Although it is not part of the data model shipped in the CIM add-on, the common information model expects the tag modaction_result
for events produced by custom alert actions.
Dataset name | Tag name |
Modular_Actions | modaction |
invocation |
Fields for the event dataset and the search datasets
The following table lists the extracted and calculated fields for the event dataset and search datasets in the model. The table does not include any inherited fields. For more information, see How to use these reference tables.
The key for using the column titled "Notes" or "Abbreviated list of example values" is as follows:
- Recommended: Add-on developers make their best effort attempts to map these event fields. If these fields are not populated, then the event is not very useful.
- Required: Add-on developers must map these event fields when using the pytest-splunk-addon to test for CIM compatibility. See pytest-splunk-addon documentation.
- Prescribed values: Permitted values that can populate the fields, which Splunk is using for a particular purpose. Other valid values exist, but Splunk is not relying on them.
- Other values: Other example values that you might see.
Dataset name | Field name | Data type | Description | Abbreviated list of example values |
View_Activity | app
string | The app name which contains the view. | |
View_Activity | spent
number | The amount of time spent loading the view (in milliseconds). | |
View_Activity | uri
string | The uniform resource identifier of the view activity. | |
View_Activity | user
string | The username of the user who accessed the view. | |
View_Activity | view
string | The name of the view. | |
Datamodel_Acceleration | access_count
number | The number of times the data model summary has been accessed since it was created. | |
Datamodel_Acceleration | access_time
time | The timestamp of the most recent access of the data model summary. | |
Datamodel_Acceleration | app
string | The application context in which the data model summary was accessed. | |
Datamodel_Acceleration | buckets
number | The number of index buckets spanned by the data model acceleration summary. | |
Datamodel_Acceleration | buckets_size
number | The total size of the bucket(s) spanned by the data model acceleration summary. | |
Datamodel_Acceleration | complete
number | The percentage of the data model summary that is currently complete. | other:0-100
Datamodel_Acceleration | cron
string | The cron expression used to accelerate the data model. | |
Datamodel_Acceleration | datamodel
string | The name of the data model accelerated. | |
Datamodel_Acceleration | digest
string | A hash of the current data model constraints. | |
Datamodel_Acceleration | earliest
time | The earliest time that the data model summary was accessed. | |
Datamodel_Acceleration | is_inprogress
boolean | Indicates whether the data model acceleration is currently in progress. | prescribed values:true , false , 1 , 0
Datamodel_Acceleration | last_error
string | The text of the last error reported during the data model acceleration. | |
Datamodel_Acceleration | last_sid
string | The search id of the last acceleration attempt. | |
Datamodel_Acceleration | latest
time | The most recent acceleration timestamp of the data model. | |
Datamodel_Acceleration | mod_time
time | The timestamp of the most recent modification to the data model acceleration. | |
Datamodel_Acceleration | retention
number | The length of time that data model accelerations are retained, in seconds. | |
Datamodel_Acceleration | size
number | The amount of storage space the data model's acceleration summary takes up, in bytes. | |
Datamodel_Acceleration | summary_id
string | The unique id of the data model acceleration summary. | |
Search_Activity | host
string | The host on which the search occurred. | |
Search_Activity | info
string | The action of the search (granted, completed, cancelled, failed). | |
Search_Activity | search
string | The search string. | |
Search_Activity | search_et
string | The earliest time of the search. | |
Search_Activity | search_lt
string | The latest time of the search. | |
Search_Activity | search_type
string | The type of search. | |
Search_Activity | source
string | The source associated with the search. | |
Search_Activity | sourcetype
string | The source types included in the search. | |
Search_Activity | user
string | The name of the user who ran the search. | |
Search_Activity | user_bunit
string | These fields are automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for these fields when writing add-ons. | |
Search_Activity | user_category
string | ||
Search_Activity | user_priority
string | ||
Scheduler_Activity | app
string | The app context in which the scheduled search was run. | |
Scheduler_Activity | host
string | The host on which the scheduled search was run. | |
Scheduler_Activity | savedsearch_name
string | The name of the saved search. | |
Scheduler_Activity | sid
string | The search id. | |
Scheduler_Activity | source
string | The source associated with the scheduled search. | |
Scheduler_Activity | sourcetype
string | The source type associated with the scheduled search. | |
Scheduler_Activity | splunk_server
string | The Splunk Server on which the scheduled search runs. | |
Scheduler_Activity | status
string | The status of the scheduled search. | |
Scheduler_Activity | user
string | The user who scheduled the search. | |
Web_Service_Errors | host
string | The host on which the web service error occurred. | |
Web_Service_Errors | source
string | The source where the web service error occurred. | |
Web_Service_Errors | sourcetype
string | The source type associated with the web service error. | |
Web_Service_Errors | event_id
string | The unique event_id for the web service error event. | |
Modular_Actions | action_mode
string | Specifies whether the action was executed as an ad hoc action or from a saved search, based on whether a search_name exists.
prescribed values:saved , adhoc
Modular_Actions | action_status
string | The status of the action. For example, "success", "failure", or "pending". | |
Modular_Actions | app
string | The app ID of the app or add-on that owns the action. | |
Modular_Actions | duration
number | How long the action took to complete, in milliseconds. | |
Modular_Actions | component
string | The component of the modular action script involved in the event. Often used in conjunction with duration. | |
Modular_Actions | orig_rid
string | The rid value of a source action result, automatically added to an event if it is the product of a previously executed action.
Modular_Actions | orig_sid
string | The original sid value of a source action, automatically added to an event if it is the product of a previously executed action.
Modular_Actions | rid
string | The id associated with the result of a specific sid . By default, this is the row number of the search, starting with 0.
Modular_Actions | search_name
string | The name of the correlation search that triggered the action. Blank for ad hoc actions. | |
Modular_Actions | action_name
string | The name of the action. | |
Modular_Actions | signature
string | The logging string associated with alert action introspection events. | |
Modular_Actions | sid
string | The search id, automatically assigned by splunkd. | |
Modular_Actions | user
string | The user who triggered an ad hoc alert. Not relevant for actions triggered by searches. |
Performance | Ticket Management |
This documentation applies to the following versions of Splunk® Common Information Model Add-on: 5.0.1, 5.0.2, 5.1.0, 5.1.1, 5.1.2, 5.2.0, 5.3.1, 5.3.2, 5.3.3, 6.0.0, 6.0.1, 6.0.2, 6.0.3
Feedback submitted, thanks!