This documentation does not apply to the most recent version of Splunk Stream™.
For documentation on the most recent version, go to the latest release.
Stream protocols that map to the Splunk CIM
The Splunk Common Information Model (CIM) provides data models that help you build searches of event data. Splunk data models generate search strings based on the data model objects and fields that you specify. Splunk App for Stream supports several protocols that map directly to the Splunk CIM.
Splunk App for Stream supports the following data models in Splunk_SA_CIM:
Databases
Splunk App for Stream supports these objects and fields in the Databases data model for MySQL, PostgreSQL, Sybase TDS, and Oracle TNS:
| Object name(s) | Field name | Data type | Description |
|---|---|---|---|
| All_Databases | user
|
string | The Name of the database process user. |
| All_Databases | object
|
string | The name of the database object. |
| Database_instance | instance_name
|
string | The name of the database_instance.
|
| Database_instance | database_version
|
string | The version of the database_instance.
|
| Database_Query | query
|
string | The database query used for the transaction. |
| Database_Query | query_time
|
string | The time the system initiated the database query. |
Splunk App for Stream supports these objects and fields in the Email data model:
SMTP
| Object name(s) | Field name | Data type | Description | Possible values |
|---|---|---|---|---|
| All_Email | app
|
string | ||
| All_Email | action
|
string | Action taken by the reporting device. | delivered, blocked, quarantined, unknown
|
| All_Email | delay
|
number | Total sending delay in seconds. | |
| All_Email | file_name
|
string | The name(s) of the file(s) attached to the message, if any exist. | |
| All_Email | process
|
string | The name of the email executable that carries out the message transaction, such as sendmail, postfix, or the name of an email client.
|
|
| All_Email | protocol
|
string | The email protocol involved, such as SMTP or RPC.
|
|
| All_Email | recipient
|
string | A field listing individual recipient email addresses, such as recipient="foo@splunk.com", recipient="bar@splunk.com".
|
|
| All_Email | recipient_count
|
number | The total number of intended message recipients. | |
| All_Email | size
|
number | The size of the message, in bytes. | |
| All_Email | src_user
|
string | The email address of the message sender. | |
| All_Email | status_code
|
string | The status code associated with the message. |
POP3
| Object name(s) | Field name | Data type | Description | Possible values |
|---|---|---|---|---|
| All_Email | app
|
string | ||
| All_Email | action
|
string | Action taken by the reporting device. | delivered, blocked, quarantined, unknown
|
| All_Email | delay
|
number | Total sending delay in seconds. | |
| All_Email | file_name
|
string | The name(s) of the file(s) attached to the message, if any exist. | |
| All_Email | protocol
|
string | The email protocol involved, such as SMTP or RPC.
|
|
| All_Email | recipient
|
string | A field listing individual recipient email addresses, such as recipient="foo@splunk.com", recipient="bar@splunk.com".
|
|
| All_Email | receiver_email
|
string | ||
| All_Email | size
|
number | The size of the message, in bytes. | |
| All_Email | src_user
|
string | The email address of the message sender. | |
| All_Email | status_code
|
string | The status code associated with the message. | |
| All_Email | user
|
string | The user context for the process. This is not the email address for the sender. For that, look at the src_user field.
|
|
| All_Email | orig_src
|
string | The original source of the message. |
IMAP
| Object name(s) | Field name | Data type | Description | Possible values |
|---|---|---|---|---|
| All_Email | app
|
string | ||
| All_Email | action
|
string | Action taken by the reporting device. | delivered, blocked, quarantined, unknown
|
| All_Email | delay
|
number | Total sending delay in seconds. | |
| All_Email | file_name
|
string | The name(s) of the file(s) attached to the message, if any exist. | |
| All_Email | process
|
string | The name of the email executable that carries out the message transaction, such as sendmail, postfix, or the name of an email client.
|
|
| All_Email | protocol
|
string | The email protocol involved, such as SMTP or RPC.
|
|
| All_Email | size
|
number | The size of the message, in bytes. | |
| All_Email | status_code
|
string | The status code associated with the message. |
Last modified on 30 March, 2015
| Network data protocols that Splunk App for Stream can capture | Install Splunk App for Stream |
This documentation applies to the following versions of Splunk Stream™: 6.1.0, 6.1.1, 6.2.0, 6.2.1, 6.2.2
Download manual
Feedback submitted, thanks!