Splunk® IT Service Intelligence

Modules

Download manual as PDF

Download topic as PDF

Operating System Module data model reference table

Use the below tables as a reference for the data models of this module. The tables contain a breakdown of the required tags for the event objects or searches in that model, and a listing of all extracted and calculated fields included in the model. Data models can be edited by navigating to Settings > Data models.

For information on how to map your data to the data models available in the Splunk IT Service Intelligence Modules, see the below links:

Tags used with event objects

The following tags act as constraints to identify your events as being relevant to this data model.

Object name Tag name
Performance performance
|____ CPU
performance, cpu
|____ Memory
performance, memory
|____ Storage
performance, storage
|____ Network
performance, network
|____ OS
performance, os
|____ Facilities
performance, facilities
|____ Process
performance, process
Inventory inventory
|____ Machine Information
inventory, cpu OR memory
|____ Storage Information
inventory, storage
|____ Network Information
inventory, network
User information user AND inventory
Updates update, status
|____ Available Updates
update, status, status="available"
|____ Installed Updates
update, status, status="installed"
|____ Updates Requiring Restart
update, status, status="restart_required"
Security access
|____ User Access
access, user
|____ File Access
access, file

Fields for OS Module event objects

The following table lists the extracted and calculated fields for the event objects in the model. Note that it does not include any inherited fields.

Object name Field name Data type Description Possible values
Performance hypervisor_id string The ID of the virtualization hypervisor.
Performance resource_type string The type of facilities resource involved in the event.
Performance tag string A tag associated with the event.
Performance dest string The system where the event occurred. You can alias this from more specific fields, such as dest_host, dest_ip, or dest_name.
CPU cpu_count number The number of CPUs reported by the resource.
CPU cpu_load_mhz number The amount of cpu mhz load being used.
CPU cpu_load_percent number The percentage of cpu load being used.
CPU cpu_time number The number of CPU seconds consumed by processes.
CPU cpu_user_percent number Percentage of CPU user time consumed by processes.
CPU wait_threads_count number Total number of threads waiting to execute.
Memory mem_free number The free amount of memory reported by the resource, in megabytes.
Memory mem_free_percent number The percentage of free memory reported by the resource, in megabytes.
Memory mem_used number The used amount of memory reported by the resource, in megabytes.
Memory mem_used_percent number The percentage of memory used reported by the resource..
Memory mem_user_percent number The percentage of memory used by a user.
Memory mem_user_used number The amount of memory used by a user.
Memory swap_percent number The total swap space size, in percentage.
Memory swap_used number The used swap space size, in megabytes, if applicable.
Memory swap_user_percent number The percentage of swap space used, in megabytes, per user.
Memory swap_user_used number The used swap space size, in megabytes, per user.
Storage mount string The mount point of a storage resource.
Storage read_blocks number Number of blocks read.
Storage read_latency number The latency of read operations, in milliseconds.
Storage read_ops number Number of read operations.
Storage storage number The total amount of storage capacity reported by the resource, in megabytes.
Storage storage_free number The free amount of storage capacity reported by the resource, in megabytes.
Storage storage_free_percent number The percentage of storage capacity reported by the resource that is free.
Storage storage_used string The used amount of storage capacity reported by the resource, in megabytes.
Storage storage_used_percent number The percentage of storage capacity reported by the resource that is used.
Storage write_blocks number The number of blocks written by the resource.
Storage write_latency number The latency of write operations, in milliseconds.
Storage write_ops number The total number of write operations processed by the resource.
Network bytes_in number How many bytes this resource received.
Network bytes_out number How many bytes this resource transmitted.
Network interface string The network interfaces of the computing resource, such as eth0, eth1 or Wired Ethernet Connection, Teredo Tunneling Pseudo-Interface.
OS uptime number The uptime of the resource, in seconds.
Facilities fan_speed number Fan speed of resource.
Facilities power number Amount of power used by resource.
Facilities temperature number Temperature of the resource.
Inventory description string The description of the inventory system.
Inventory enabled boolean Indicates whether the resource is enabled or disabled.
Inventory family string The product family of the resource.
Inventory hypervisor_id string The hypervisor identifier, if applicable.
Inventory serial string The serial number of the resource.
Inventory status string The current reported state of the resource.
Inventory tag string Splunk uses this automatically generated field to access tags from within data models. You do not need to populate it.
Inventory version string The version of a computer resource.
Inventory dest string The system where the data originated, the source of the event. You can alias this from more specific fields, such as dest_host, dest_ip, or dest_name.
Inventory vendor_product string The vendor and product name of the resource.
Machine Information cpu_cores number The number of CPU cores reported by the resource (total, not per CPU).
Machine Information cpu_count number The number of CPUs reported by the resource.
Machine Information cpu_mhz number The maximum speed of the CPU reported by the resource (in megahertz).
Machine Information mem number The total amount of memory installed in or allocated to the resource, in megabytes.
Storage Information blocksize number Block size used by the resource, in kilobytes.
Storage Information mount string The mount point of a storage resource.
Storage Information parent string A generic indicator of hierarchy. For instance, a disk event might include the array id here.
Storage Information storage number The total amount of storage capacity reported by the resource, in megabytes.
Network Information dest_ip string The IP address for the system that the data is going to.
Network Information dns string The domain name server for the resource.
Network Information interface string The network interfaces of the computing resource, such as eth0, eth1 or Wired Ethernet Connection, Teredo Tunneling Pseudo-Interface.
Network Information ip string The network addresses of the computing resource, such as 192.168.1.1 or E80:0000:0000:0000:0202:B3FF:FE1E:8329.
Network Information mac string A MAC (media access control) address associated with the resource, such as 06:10:9f:eb:8f:14. Note: Always force lower case on this field. Note: Always use colons instead of dashes, spaces, or no separator.
Network Information src_ip string The IP address for the system from which the data originates.
User Information shell string Indicates the shell program used by a locally defined account.
User Information user_bunit string The business unit of the locally-defined user account. This field is automatically provided by Asset and Identity correlation features of Splunk platform applications.
User Information user_category string The category of the system where the data originated, such as email_server or SOX-compliant. This field is automatically provided by Asset and Identity correlation features of Splunk platform applications.
User Information user_id number The user identification for a locally defined account.
User Information user_priority string The priority of a locally-defined account.
User Information dest string The system where the data originated, the source of the event. You can alias this from more specific fields, such as dest_host, dest_ip, or dest_name.|
User Information interactive boolean TBD
User Information password string The password entered by the user involved in the event.
User Information user string The name of the user involved in the event.
Updates dest_should_update boolean Derived field that is aliased by the dest field within ITSI.
Updates file_hash string The checksum of the patch package that was installed or attempted.
Updates file_name string The name of the package that was updated or attempted.
Updates tag string A tag associated with the event.
Updates dest string The system where the event occurred. You can alias this from more specific fields, such as dest_host, dest_ip, or dest_name.
Updates signature string The event description signature, if available.
Updates signature_id string The numeric integer value of an event.
Updates status string The status of an event.
Updates vendor_product string The vendor and product associated with the event.
Available Updates N/A N/A N/A
Installed Updates N/A N/A N/A
Updates Requiring Restart N/A N/A N/A
Security dest string The system affected by the security event.
User Access action string The result of a user access event.
User Access user string The ID of the user.
File Access action string The result of a file access event.
File Access file string The name of the file being accessed.
File Access user string The ID of the user accessing the file.

Searches for OS Module objects

The following table lists the extracted and calculated fields for the search objects in the model. Note that it does not include any inherited fields.

Object name Field name Data type
Update Errors _time time
Update Errors host string
Update Errors source string
Update Errors sourcetype string
Last modified on 13 March, 2020
PREVIOUS
Operating System Module entity attributes
  NEXT
Operating System Module troubleshooting

This documentation applies to the following versions of Splunk® IT Service Intelligence: 3.0.0, 3.0.1, 3.0.2, 3.1.0, 3.1.1, 3.1.2, 3.1.3, 3.1.4, 4.0.0, 4.0.1, 4.0.2, 4.0.3, 4.0.4, 4.1.0, 4.1.1, 4.1.2, 4.1.5, 4.2.0, 4.2.1, 4.2.2, 4.2.3, 4.3.0, 4.3.1, 4.4.0, 4.4.1, 4.4.2, 4.4.3


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters