Splunk Stream

Installation and Configuration Manual

This documentation does not apply to the most recent version of Splunk Stream. For documentation on the most recent version, go to the latest release.

Stream protocols that map to the Splunk CIM

The Splunk Common Information Model (CIM) provides data models that help you build searches of event data. Splunk data models generate search strings based on the data model objects and fields that you specify. Splunk App for Stream supports several protocols that map directly to the Splunk CIM.

Splunk App for Stream supports the following data models in Splunk_SA_CIM:

Databases

Splunk App for Stream supports these objects and fields in the Databases data model for MySQL, PostgreSQL, Sybase TDS, and Oracle TNS:

Object name(s) Field name Data type Description
All_Databases user string The Name of the database process user.
All_Databases object string The name of the database object.
Database_instance instance_name string The name of the database_instance.
Database_instance database_version string The version of the database_instance.
Database_Query query string The database query used for the transaction.
Database_Query query_time string The time the system initiated the database query.

Email

Splunk App for Stream supports these objects and fields in the Email data model:

SMTP

Object name(s) Field name Data type Description Possible values
All_Email app string
All_Email action string Action taken by the reporting device. delivered, blocked, quarantined, unknown
All_Email delay number Total sending delay in seconds.
All_Email file_name string The name(s) of the file(s) attached to the message, if any exist.
All_Email process string The name of the email executable that carries out the message transaction, such as sendmail, postfix, or the name of an email client.
All_Email protocol string The email protocol involved, such as SMTP or RPC.
All_Email recipient string A field listing individual recipient email addresses, such as recipient="foo@splunk.com", recipient="bar@splunk.com".
All_Email recipient_count number The total number of intended message recipients.
All_Email size number The size of the message, in bytes.
All_Email src_user string The email address of the message sender.
All_Email status_code string The status code associated with the message.

POP3

Object name(s) Field name Data type Description Possible values
All_Email app string
All_Email action string Action taken by the reporting device. delivered, blocked, quarantined, unknown
All_Email delay number Total sending delay in seconds.
All_Email file_name string The name(s) of the file(s) attached to the message, if any exist.
All_Email protocol string The email protocol involved, such as SMTP or RPC.
All_Email recipient string A field listing individual recipient email addresses, such as recipient="foo@splunk.com", recipient="bar@splunk.com".
All_Email receiver_email string
All_Email size number The size of the message, in bytes.
All_Email src_user string The email address of the message sender.
All_Email status_code string The status code associated with the message.
All_Email user string The user context for the process. This is not the email address for the sender. For that, look at the src_user field.
All_Email orig_src string The original source of the message.

IMAP

Object name(s) Field name Data type Description Possible values
All_Email app string
All_Email action string Action taken by the reporting device. delivered, blocked, quarantined, unknown
All_Email delay number Total sending delay in seconds.
All_Email file_name string The name(s) of the file(s) attached to the message, if any exist.
All_Email process string The name of the email executable that carries out the message transaction, such as sendmail, postfix, or the name of an email client.
All_Email protocol string The email protocol involved, such as SMTP or RPC.
All_Email size number The size of the message, in bytes.
All_Email status_code string The status code associated with the message.
Last modified on 30 March, 2015
Network data protocols that Splunk App for Stream can capture   Install Splunk App for Stream

This documentation applies to the following versions of Splunk Stream: 6.1.0, 6.1.1, 6.2.0, 6.2.1, 6.2.2


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters