Web Server Module data model reference table
Use the below tables as a reference for the data models of this module. The tables contain a breakdown of the required tags for the event objects or searches in that model, and a listing of all extracted and calculated fields included in the model. Data models can be edited by navigating to Settings > Data models
For information on how to map your data to the data models available in the Splunk IT Service Intelligence Modules, see the below links:
- How to use these reference tables in the Common Information Model Add-on Manual.
- About data models in the Splunk Enterprise Knowledge Manager Manual.
Tags used with event objects
The following tags act as constraints to identify your events as being relevant to this data model.
| Object name | Tag name |
|---|---|
| Inventory | web, inventory |
| Activity | web, activity |
Fields for Web Server event objects
The following table lists the extracted and calculated fields for the event objects in the model. Note that it does not include any inherited fields.
| Object Name | Field Name | Data Type | Description |
|---|---|---|---|
| Inventory | dest
|
string | The system where the event occurred. You can alias this from more specific fields, such as dest_host, dest_ip, or dest_name.
|
| Inventory | dest_ip
|
string | The IP address for the system that the data is going to. |
| Inventory | dest_port
|
number | The port on which the request is served. |
| Inventory | site
|
string | The virtual site which services the request, if applicable. |
| Inventory | vendor
|
string | The name of the company or group that produces the web server. |
| Inventory | vendor_product
|
string | The vendor and product or service that is being monitored. |
| Inventory | version
|
string | The version of a product. |
| Inventory | web_server
|
string | The host name of a web server and application. |
| Inventory | role
|
string | Static field added by the Splunk platform to link the web server data model to web server KPIs. |
| Activity | action
|
string | The action taken by the server or proxy. |
| Activity | app
|
string | The app recording the data, such as IIS, Apache, or Bluecoat. |
| Activity | availability
|
number | The current availability of the web server. |
| Activity | bytes
|
number | The total number of bytes transferred (bytes_in + bytes_out).
|
| Activity | bytes_in
|
number | How many bytes this resource received. |
| Activity | bytes_out
|
number | How many bytes this resource transmitted. |
| Activity | cached
|
string | Indicates whether the event data is cached or not. |
| Activity | category
|
string | The category of traffic, such as may be provided by a proxy server. |
| Activity | client_packets
|
number | Number of packets sent from the client to the point of capture. |
| Activity | connection
|
string | TCP session server endpoint (IP address and TCP port). |
| Activity | cookie
|
string | The cookie file recorded in the event. |
| Activity | data_center_time
|
string | Calculation of the number of microseconds from the last request packet to the last response packet. |
| Activity | duration
|
number | The time taken by the proxy event (in milliseconds). |
| Activity | encoding
|
string | Contains the encoding of the activity. |
| Activity | form_data
|
string | A url-encoded string representation. |
| Activity | http_content_type
|
string | The content-type of the requested HTTP resource. |
| Activity | http_method
|
string | The HTTP method used in the request (GET, PORT, etc.). |
| Activity | http_referer
|
string | The HTTP referrer used in the request. The W3C specification and many implementations misspell this as http_referer. A FIELDALIAS is recommended to handle both key names.
|
| Activity | http_user_agent
|
string | The user agent string for the browser that the client is using. |
| Activity | http_version
|
string | The version of the requested HTTP resource. |
| Activity | reply_time
|
number | The amount of time it took to make a reply in the network session event, if applicable. |
| Activity | request_time
|
number | The amount of time it took to receive a request in the network session event, if applicable. |
| Activity | response_time
|
number | Time it takes for a response to return from a server (in milliseconds). |
| Activity | server_packets
|
number | Total number of packets sent between the client and the server. |
| Activity | site
|
string | The name of the application running on the site. |
| Activity | src
|
string | The source of the network traffic (the client requesting the connection). |
| Activity | src_ip
|
string | The ip address of the client making a request. |
| Activity | src_port
|
number | The source port of the network traffic.
Note: Do not translate the values of this field to strings ( |
| Activity | ssl_version
|
string | The SSL version of this activity. |
| Activity | status
|
number | The HTTP response code indicating the status of the proxy request. |
| Activity | uri_path
|
string | The URI path of the resource served by the webserver or proxy. |
| Activity | uri_query
|
string | The query string that shows a search against an endpoint. |
| Activity | url
|
string | The URL of the requested HTTP resource. |
| Activity | url_length
|
number | The length of the URL. |
| Activity | url_param
|
string | The string used to receive URL parameter values. |
| Activity | user
|
string | The user that requested the HTTP resource. |
| Activity | web_server
|
string | The host name and port. |
| Web Server Module KPIs and thresholds | Troubleshoot the Web Server Module |
This documentation applies to the following versions of Splunk® IT Service Intelligence: 4.11.0, 4.11.1, 4.11.2, 4.11.3, 4.11.4, 4.11.5, 4.11.6, 4.12.0 Cloud only, 4.12.1 Cloud only, 4.12.2 Cloud only, 4.13.0, 4.13.1, 4.13.2, 4.13.3, 4.14.0 Cloud only, 4.14.1 Cloud only, 4.14.2 Cloud only, 4.15.0, 4.15.1, 4.15.2, 4.15.3, 4.16.0 Cloud only, 4.17.0, 4.17.1, 4.18.0, 4.18.1
Download manual
Feedback submitted, thanks!