Splunk IT Service Intelligence (ITSI) version 4.12.x reached its End of Life on January 22, 2024. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see Before you upgrade IT Service Intelligence.
This documentation does not apply to the most recent version of Splunk® IT Service Intelligence.
For documentation on the most recent version, go to the latest release.
Operating System Module data model reference table
Use the below tables as a reference for the data models of this module. The tables contain a breakdown of the required tags for the event objects or searches in that model, and a listing of all extracted and calculated fields included in the model. Data models can be edited by navigating to Settings > Data models.
For information on how to map your data to the data models available in the Splunk IT Service Intelligence Modules, see the below links:
- How to use these reference tables in the Common Information Model Add-on Manual.
- About data models in the Splunk Enterprise Knowledge Manager Manual.
Tags used with event objects
The following tags act as constraints to identify your events as being relevant to this data model.
| Object name | Tag name |
|---|---|
| Performance | performance |
|
performance, cpu |
|
performance, memory |
|
performance, storage |
|
performance, network |
|
performance, os |
|
performance, facilities |
|
performance, process |
| Inventory | inventory |
|
inventory, cpu OR memory |
|
inventory, storage |
|
inventory, network |
| User information | user AND inventory |
| Updates | update, status |
|
update, status, status="available" |
|
update, status, status="installed" |
|
update, status, status="restart_required" |
| Security | access |
|
access, user |
|
access, file |
Fields for OS Module event objects
The following table lists the extracted and calculated fields for the event objects in the model. Note that it does not include any inherited fields.
| Object name | Field name | Data type | Description | Possible values |
|---|---|---|---|---|
| Performance | hypervisor_id
|
string | The ID of the virtualization hypervisor. | |
| Performance | resource_type
|
string | The type of facilities resource involved in the event. | |
| Performance | tag
|
string | A tag associated with the event. | |
| Performance | dest
|
string | The system where the event occurred. You can alias this from more specific fields, such as dest_host, dest_ip, or dest_name.
|
|
| CPU | cpu_count
|
number | The number of CPUs reported by the resource. | |
| CPU | cpu_load_mhz
|
number | The amount of cpu mhz load being used. | |
| CPU | cpu_load_percent
|
number | The percentage of cpu load being used. | |
| CPU | cpu_time
|
number | The number of CPU seconds consumed by processes. | |
| CPU | cpu_user_percent
|
number | Percentage of CPU user time consumed by processes. | |
| CPU | wait_threads_count
|
number | Total number of threads waiting to execute. | |
| Memory | mem_free
|
number | The free amount of memory reported by the resource, in megabytes. | |
| Memory | mem_free_percent
|
number | The percentage of free memory reported by the resource, in megabytes. | |
| Memory | mem_used
|
number | The used amount of memory reported by the resource, in megabytes. | |
| Memory | mem_used_percent
|
number | The percentage of memory used reported by the resource.. | |
| Memory | mem_user_percent
|
number | The percentage of memory used by a user. | |
| Memory | mem_user_used
|
number | The amount of memory used by a user. | |
| Memory | swap_percent
|
number | The total swap space size, in percentage. | |
| Memory | swap_used
|
number | The used swap space size, in megabytes, if applicable. | |
| Memory | swap_user_percent
|
number | The percentage of swap space used, in megabytes, per user. | |
| Memory | swap_user_used
|
number | The used swap space size, in megabytes, per user. | |
| Storage | mount
|
string | The mount point of a storage resource. | |
| Storage | read_blocks
|
number | Number of blocks read. | |
| Storage | read_latency
|
number | The latency of read operations, in milliseconds. | |
| Storage | read_ops
|
number | Number of read operations. | |
| Storage | storage
|
number | The total amount of storage capacity reported by the resource, in megabytes. | |
| Storage | storage_free
|
number | The free amount of storage capacity reported by the resource, in megabytes. | |
| Storage | storage_free_percent
|
number | The percentage of storage capacity reported by the resource that is free. | |
| Storage | storage_used
|
string | The used amount of storage capacity reported by the resource, in megabytes. | |
| Storage | storage_used_percent
|
number | The percentage of storage capacity reported by the resource that is used. | |
| Storage | write_blocks
|
number | The number of blocks written by the resource. | |
| Storage | write_latency
|
number | The latency of write operations, in milliseconds. | |
| Storage | write_ops
|
number | The total number of write operations processed by the resource. | |
| Network | bytes_in
|
number | How many bytes this resource received. | |
| Network | bytes_out
|
number | How many bytes this resource transmitted. | |
| Network | interface
|
string | The network interfaces of the computing resource, such as eth0, eth1 or Wired Ethernet Connection, Teredo Tunneling Pseudo-Interface.
|
|
| OS | uptime
|
number | The uptime of the resource, in seconds. | |
| Facilities | fan_speed
|
number | Fan speed of resource. | |
| Facilities | power
|
number | Amount of power used by resource. | |
| Facilities | temperature
|
number | Temperature of the resource. | |
| Inventory | description
|
string | The description of the inventory system. | |
| Inventory | enabled
|
boolean | Indicates whether the resource is enabled or disabled. | |
| Inventory | family
|
string | The product family of the resource. | |
| Inventory | hypervisor_id
|
string | The hypervisor identifier, if applicable. | |
| Inventory | serial
|
string | The serial number of the resource. | |
| Inventory | status
|
string | The current reported state of the resource. | |
| Inventory | tag
|
string | Splunk uses this automatically generated field to access tags from within data models. You do not need to populate it. | |
| Inventory | version
|
string | The version of a computer resource. | |
| Inventory | dest
|
string | The system where the data originated, the source of the event. You can alias this from more specific fields, such as dest_host, dest_ip, or dest_name.
|
|
| Inventory | vendor_product
|
string | The vendor and product name of the resource. | |
| Machine Information | cpu_cores
|
number | The number of CPU cores reported by the resource (total, not per CPU). | |
| Machine Information | cpu_count
|
number | The number of CPUs reported by the resource. | |
| Machine Information | cpu_mhz
|
number | The maximum speed of the CPU reported by the resource (in megahertz). | |
| Machine Information | mem
|
number | The total amount of memory installed in or allocated to the resource, in megabytes. | |
| Storage Information | blocksize
|
number | Block size used by the resource, in kilobytes. | |
| Storage Information | mount
|
string | The mount point of a storage resource. | |
| Storage Information | parent
|
string | A generic indicator of hierarchy. For instance, a disk event might include the array id here. | |
| Storage Information | storage
|
number | The total amount of storage capacity reported by the resource, in megabytes. | |
| Network Information | dest_ip
|
string | The IP address for the system that the data is going to. | |
| Network Information | dns
|
string | The domain name server for the resource. | |
| Network Information | interface
|
string | The network interfaces of the computing resource, such as eth0, eth1 or Wired Ethernet Connection, Teredo Tunneling Pseudo-Interface.
|
|
| Network Information | ip
|
string | The network addresses of the computing resource, such as 192.168.1.1 or E80:0000:0000:0000:0202:B3FF:FE1E:8329.
|
|
| Network Information | mac
|
string | A MAC (media access control) address associated with the resource, such as 06:10:9f:eb:8f:14. Note: Always force lower case on this field. Note: Always use colons instead of dashes, spaces, or no separator.
|
|
| Network Information | src_ip
|
string | The IP address for the system from which the data originates. | |
| User Information | shell
|
string | Indicates the shell program used by a locally defined account. | |
| User Information | user_bunit
|
string | The business unit of the locally-defined user account. This field is automatically provided by Asset and Identity correlation features of Splunk platform applications. | |
| User Information | user_category
|
string | The category of the system where the data originated, such as email_server or SOX-compliant. This field is automatically provided by Asset and Identity correlation features of Splunk platform applications. | |
| User Information | user_id
|
number | The user identification for a locally defined account. | |
| User Information | user_priority
|
string | The priority of a locally-defined account. | |
| User Information | dest
|
string | The system where the data originated, the source of the event. You can alias this from more specific fields, such as dest_host, dest_ip, or dest_name.|
| |
| User Information | interactive
|
boolean | TBD | |
| User Information | password
|
string | The password entered by the user involved in the event. | |
| User Information | user
|
string | The name of the user involved in the event. | |
| Updates | dest_should_update
|
boolean | Derived field that is aliased by the dest field within ITSI.
|
|
| Updates | file_hash
|
string | The checksum of the patch package that was installed or attempted. | |
| Updates | file_name
|
string | The name of the package that was updated or attempted. | |
| Updates | tag
|
string | A tag associated with the event. | |
| Updates | dest
|
string | The system where the event occurred. You can alias this from more specific fields, such as dest_host, dest_ip, or dest_name.
|
|
| Updates | signature
|
string | The event description signature, if available. | |
| Updates | signature_id
|
string | The numeric integer value of an event. | |
| Updates | status
|
string | The status of an event. | |
| Updates | vendor_product
|
string | The vendor and product associated with the event. | |
| Available Updates | N/A | N/A | N/A | |
| Installed Updates | N/A | N/A | N/A | |
| Updates Requiring Restart | N/A | N/A | N/A | |
| Security | dest
|
string | The system affected by the security event. | |
| User Access | action
|
string | The result of a user access event. | |
| User Access | user
|
string | The ID of the user. | |
| File Access | action
|
string | The result of a file access event. | |
| File Access | file
|
string | The name of the file being accessed. | |
| File Access | user
|
string | The ID of the user accessing the file. |
Searches for OS Module objects
The following table lists the extracted and calculated fields for the search objects in the model. Note that it does not include any inherited fields.
| Object name | Field name | Data type |
|---|---|---|
| Update Errors | _time
|
time |
| Update Errors | host
|
string |
| Update Errors | source
|
string |
| Update Errors | sourcetype
|
string |
Last modified on 28 April, 2023
| Operating System Module entity attributes | Operating System Module troubleshooting |
This documentation applies to the following versions of Splunk® IT Service Intelligence: 4.11.0, 4.11.1, 4.11.2, 4.11.3, 4.11.4, 4.11.5, 4.11.6, 4.12.0 Cloud only, 4.12.1 Cloud only, 4.12.2 Cloud only, 4.13.0, 4.13.1, 4.13.2, 4.13.3, 4.14.0 Cloud only, 4.14.1 Cloud only, 4.14.2 Cloud only, 4.15.0, 4.15.1, 4.15.2, 4.15.3, 4.16.0 Cloud only, 4.17.0, 4.17.1, 4.18.0, 4.18.1
Download manual
Feedback submitted, thanks!