Interprocess Messaging
The fields in the Interprocess Messaging data model describe transactional requests in programmatic interfaces. This enables you to establish the data requirements for a domain and create apps that support each other. The Interprocess Messaging data model enables reporting on
- messaging queues such as Tibco, MSMQ, Apache ESB, IBM MQ, and XMPP.
- IPC interfaces like RPC and WMI.
- Web interfaces such as SOAP and REST.
Note: A dataset is a component of a data model. In versions of the Splunk platform prior to version 6.5.0, these were referred to as data model objects.
Tags used with the Interprocess Messaging event dataset
The following tags act as constraints to identify your events as being relevant to this data model. For more information, see How to use these reference tables.
Dataset name | Tag name |
All_Interprocess_Messaging | messaging |
Fields for the Interprocess Messaging event dataset
The following table lists the extracted and calculated fields for the event dataset in the model. Note that it does not include any inherited fields. For more information, see How to use these reference tables.
The key for using the column titled "Notes" or "Abbreviated list of example values" is as follows:
- Recommended: Add-on developers make their best effort attempts to map these event fields. If these fields are not populated, then the event is not very useful.
- Required: Add-on developers must map these event fields when using the pytest-splunk-addon to test for CIM compatibility. See pytest-splunk-addon documentation.
- Prescribed values: Permitted values that can populate the fields, which Splunk is using for a particular purpose. Other valid values exist, but Splunk is not relying on them.
- Other values: Other example values that you might see.
Dataset name | Field name | Data type | Description | Abbreviated list of example values |
All_Interprocess_Messaging | dest
string | The destination of the message. You can alias this from more specific fields, such as dest_host , dest_ip , or dest_name .
All_Interprocess_Messaging | dest_bunit
string | The business unit of the destination. This field is automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for this field when writing add-ons. |
All_Interprocess_Messaging | dest_category
string | The type of message destination. This field is automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for this field when writing add-ons. |
prescribed values:queue , topic
All_Interprocess_Messaging | dest_priority
string | The priority of the destination. This field is automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for this field when writing add-ons. |
All_Interprocess_Messaging | duration
number | The number of seconds from message call to message response. Can be derived by getting the difference between the request_sent_time and the message_received_time .
All_Interprocess_Messaging | endpoint
string | The endpoint that the message accessed during the RPC (remote procedure call) transaction. | |
All_Interprocess_Messaging | endpoint_version
string | The version of the endpoint accessed during the RPC (remote procedure call) transaction, such as 1.0 or 1.22 .
All_Interprocess_Messaging | message
string | A command or reference that an RPC (remote procedure call) reads or responds to. | |
All_Interprocess_Messaging | message_consumed_time
time | The time that the RPC (remote procedure call) read the message and was prepared to take some sort of action. | |
All_Interprocess_Messaging | message_correlation_id
string | The message correlation identification value. | |
All_Interprocess_Messaging | message_delivered_time
time | The time that the message producer sent the message. | |
All_Interprocess_Messaging | message_delivery_mode
string | The message delivery mode. Possible values depend on the type of message-oriented middleware (MOM) solution in use. They can be words like Transient (meaning the message is stored in memory and is lost if the server dies or restarts) or Persistent (meaning the message is stored both in memory and on disk and is preserved if the server dies or restarts). They can also be numbers like 1 , 2 , and so on.
All_Interprocess_Messaging | message_expiration_time
time | The time that the message expired. | |
All_Interprocess_Messaging | message_id
string | The message identification. | |
All_Interprocess_Messaging | message_priority
string | The priority of the message. Important jobs that the message queue should answer no matter what receive a higher message_priority than other jobs, ensuring they are completed before the others.
All_Interprocess_Messaging | message_properties
string | An arbitrary list of message properties. The set of properties displayed depends on the message-oriented middleware (MOM) solution that you are using. | |
All_Interprocess_Messaging | message_received_time
time | The time that the message was received by a message-oriented middleware (MOM) solution. | |
All_Interprocess_Messaging | message_redelivered
boolean | Indicates whether or not the message was redelivered. | |
All_Interprocess_Messaging | message_reply_dest
string | The name of the destination for replies to the message. | |
All_Interprocess_Messaging | message_type
string | The type of message, such as call or reply .
All_Interprocess_Messaging | parameters
string | Arguments that have been passed to an endpoint by a REST call or something similar. A sample parameter could be something like foo=bar .
All_Interprocess_Messaging | payload
string | The message payload. | |
All_Interprocess_Messaging | payload_type
string | The type of payload in the message. The payload type can be text (such as json , xml , and raw ) or binary (such as compressed , object , encrypted , and image ).
All_Interprocess_Messaging | request_payload
string | The content of the message request. | |
All_Interprocess_Messaging | request_payload_type
string | The type of payload in the message request. The payload type can be text (such as json , xml , and raw ) or binary (such as compressed , object , encrypted , and image ).
All_Interprocess_Messaging | request_sent_time
time | The time that the message request was sent. | |
All_Interprocess_Messaging | response_code
string | The response status code sent by the receiving server. Ranges between 200 and 404 .
All_Interprocess_Messaging | response_payload_type
string | The type of payload in the message response. The payload type can be text (such as json , xml , and raw ) or binary (such as compressed , object , encrypted , and image ).
All_Interprocess_Messaging | response_received_time
time | The time that the message response was received. | |
All_Interprocess_Messaging | response_time
number | The amount of time it took to receive a response, in seconds. | |
All_Interprocess_Messaging | return_message
string | The response status message sent by the message server. | |
All_Interprocess_Messaging | rpc_protocol
string | The protocol that the message server uses for remote procedure calls (RPC). Possible values include HTTP REST , SOAP , and EJB .
All_Interprocess_Messaging | status
boolean | The status of the message response. | prescribed values:pass , fail
All_Interprocess_Messaging | tag
string | This automatically generated field is used to access tags from within data models. Do not define extractions for this field when writing add-ons. |
Event Signatures | Intrusion Detection |
This documentation applies to the following versions of Splunk® Common Information Model Add-on: 5.0.1, 5.0.2, 5.1.0, 5.1.1, 5.1.2, 5.2.0, 5.3.1, 5.3.2, 5.3.3, 6.0.0, 6.0.1, 6.0.2, 6.0.3
Feedback submitted, thanks!