Splunk® IT Service Intelligence

Modules

Download manual as PDF

Download topic as PDF

Web Server Module data model reference table

Use the below tables as a reference for the data models of this module. The tables contain a breakdown of the required tags for the event objects or searches in that model, and a listing of all extracted and calculated fields included in the model. Data models can be edited by navigating to Settings > Data models

For information on how to map your data to the data models available in the Splunk IT Service Intelligence Modules, see the below links:

Tags used with event objects

The following tags act as constraints to identify your events as being relevant to this data model.

Object name Tag name
Inventory web, inventory
Activity web, activity

Fields for Web Server event objects

The following table lists the extracted and calculated fields for the event objects in the model. Note that it does not include any inherited fields.

Object Name Field Name Data Type Description
Inventory dest string The system where the event occurred. You can alias this from more specific fields, such as dest_host, dest_ip, or dest_name.
Inventory dest_ip string The IP address for the system that the data is going to.
Inventory dest_port number The port on which the request is served.
Inventory site string The virtual site which services the request, if applicable.
Inventory vendor string The name of the company or group that produces the web server.
Inventory vendor_product string The vendor and product or service that is being monitored.
Inventory version string The version of a product.
Inventory web_server string The host name of a web server and application.
Inventory role string Static field added by the Splunk platform to link the web server data model to web server KPIs.
Activity action string The action taken by the server or proxy.
Activity app string The app recording the data, such as IIS, Apache, or Bluecoat.
Activity availability number The current availability of the web server.
Activity bytes number The total number of bytes transferred (bytes_in + bytes_out).
Activity bytes_in number How many bytes this resource received.
Activity bytes_out number How many bytes this resource transmitted.
Activity cached string Indicates whether the event data is cached or not.
Activity category string The category of traffic, such as may be provided by a proxy server.
Activity client_packets number Number of packets sent from the client to the point of capture.
Activity connection string TCP session server endpoint (IP address and TCP port).
Activity cookie string The cookie file recorded in the event.
Activity data_center_time string Calculation of the number of microseconds from the last request packet to the last response packet.
Activity duration number The time taken by the proxy event (in milliseconds).
Activity encoding string Contains the encoding of the activity.
Activity form_data string A url-encoded string representation.
Activity http_content_type string The content-type of the requested HTTP resource.
Activity http_method string The HTTP method used in the request (GET, PORT, etc.).
Activity http_referer string The HTTP referrer used in the request. The W3C specification and many implementations misspell this as http_referer. A FIELDALIAS is recommended to handle both key names.
Activity http_user_agent string The user agent string for the browser that the client is using.
Activity http_version string The version of the requested HTTP resource.
Activity reply_time number The amount of time it took to make a reply in the network session event, if applicable.
Activity request_time number The amount of time it took to receive a request in the network session event, if applicable.
Activity response_time number Time it takes for a response to return from a server (in milliseconds).
Activity server_packets number Total number of packets sent between the client and the server.
Activity site string The name of the application running on the site.
Activity src string The source of the network traffic (the client requesting the connection).
Activity src_ip string The ip address of the client making a request.
Activity src_port number The source port of the network traffic.

Note: Do not translate the values of this field to strings (tcp/80 is 80, not http). You can set up the corresponding string value in the src_svc field.

Activity ssl_version string The SSL version of this activity.
Activity status number The HTTP response code indicating the status of the proxy request.
Activity uri_path string The URI path of the resource served by the webserver or proxy.
Activity uri_query string The query string that shows a search against an endpoint.
Activity url string The URL of the requested HTTP resource.
Activity url_length number The length of the URL.
Activity url_param string The string used to receive URL parameter values.
Activity user string The user that requested the HTTP resource.
Activity web_server string The host name and port.
Last modified on 30 April, 2020
PREVIOUS
Web Server Module KPIs and thresholds
  NEXT
Troubleshoot the Web Server Module

This documentation applies to the following versions of Splunk® IT Service Intelligence: 4.0.0, 4.0.1, 4.0.2, 4.0.3, 4.0.4, 4.1.0, 4.1.1, 4.1.2, 4.1.5, 4.2.0, 4.2.1, 4.2.2, 4.2.3, 4.3.0, 4.3.1, 4.4.0, 4.4.1, 4.4.2, 4.4.3, 4.4.4, 4.5.0 Cloud only


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters