Splunk Stream

Installation and Configuration Manual

Download manual as PDF

This documentation does not apply to the most recent version of StreamApp. Click here for the latest version.
Download topic as PDF

Protocols that map to Splunk CIM

The Splunk Common Information Model (CIM) provides data models that help you build searches of event data. Splunk data models generate search strings based on the data model objects and fields that you specify. Splunk App for Stream supports several protocols that map directly to the Splunk CIM.

Splunk App for Stream supports the following data models in Splunk_SA_CIM:

Authentication

Object name(s) Field name Data type Description
Authentication user string Generic name for the class of the updated resource object. Expected values may be specific to an App.

Change Analysis

XMPP

Object name(s) Field name Data type Description
All_Changes object_category string Generic name for the class of the updated resource object. Expected values may be specific to an App.
Filesystem_Changes file_name string The name of the file that is the object of the event (without location information related to local file or directory structure).
Filesystem_Changes file_access_time string The time the file (the object of the event) was accessed.
Filesystem_Changes file_hash string A cryptographic identifier assigned to the file object affected by the event.
Filesystem_Changes file_size string The size of the file that is the object of the event, in kilobytes.

Certificates

TCP

Object name(s) Field name Data type Description
All_Certificates dest string The target in the certificate management event.
All_Certificates duration number The amount of time for the completion of the certificate management event, in seconds.
All_Certificates response_time number The amount of time it took to receive a response in the certificate management event, if applicable.
All_Certificates src string The source involved in the certificate management event. May be aliased from more specific fields, such as src_host, src_ip, or src_nt_host.
All_Certificates transport string The transport protocol of the Network Traffic involved with this certificate.
SSL ssl_end_time string The expiry time of the certificate.
SSL ssl_hash string The hash of the certificate.
SSL ssl_issuer string The certificate issuer's RFC2253 Distinguished Name.
SSL ssl_issuer_common_name string The certificate issuer's common name.
SSL ssl_issuer_email string The certificate issuer's email address.
SSL ssl_issuer_locality string The certificate issuer's locality.
SSL ssl_issuer_organization string The certificate issuer's organization.
SSL ssl_issuer_state string The certificate issuer's state of residence.
SSL ssl_issuer_street string The certificate issuer's street address.
SSL ssl_issuer_unit string The certificate issuer's organizational unit.
SSL ssl_serial string The certificate’s serial number.
SSL ssl_session_id string The session identifier for this certificate.
SSL ssl_start_time string This is the start date and time for this certificate's validity.
SSL ssl_subject string The certificate owner's RFC2253 Distinguished Name.
SSL ssl_subject_common_name string This certificate owner’s common name.
SSL ssl_subject_email string The certificate owner’s e-mail address.
SSL ssl_subject_locality string The certificate owner’s locality.
SSL ssl_subject_state string The certificate owner’s state of residence.
SSL ssl_subject_street string The certificate owner’s street address.
SSL ssl_subject_unit string The certificate owner's organizational unit.
SSL ssl_version string The ssl version of this certificate.

Databases

Splunk App for Stream supports these objects and fields in the Databases data model for MySQL, PostgreSQL, Sybase TDS, and Oracle TNS:

Object name(s) Field name Data type Description
All_Databases user string The Name of the database process user.
All_Databases object string The name of the database object.
Database_instance instance_name string The name of the database_instance.
Database_instance database_version string The version of the database_instance.
Database_Query query string The database query used for the transaction.
Database_Query query_time string The time the system initiated the database query.

Email

Splunk App for Stream supports these objects and fields in the Email data model:

SMTP

Object name(s) Field name Data type Description Possible values
All_Email app string
All_Email action string Action taken by the reporting device. delivered, blocked, quarantined, unknown
All_Email delay number Total sending delay in seconds.
All_Email file_name string The name(s) of the file(s) attached to the message, if any exist.
All_Email process string The name of the email executable that carries out the message transaction, such as sendmail, postfix, or the name of an email client.
All_Email protocol string The email protocol involved, such as SMTP or RPC.
All_Email recipient string A field listing individual recipient email addresses, such as recipient="foo@splunk.com", recipient="bar@splunk.com".
All_Email recipient_count number The total number of intended message recipients.
All_Email size number The size of the message, in bytes.
All_Email src_user string The email address of the message sender.
All_Email status_code string The status code associated with the message.

POP3

Object name(s) Field name Data type Description Possible values
All_Email app string
All_Email action string Action taken by the reporting device. delivered, blocked, quarantined, unknown
All_Email delay number Total sending delay in seconds.
All_Email file_name string The name(s) of the file(s) attached to the message, if any exist.
All_Email protocol string The email protocol involved, such as SMTP or RPC.
All_Email recipient string A field listing individual recipient email addresses, such as recipient="foo@splunk.com", recipient="bar@splunk.com".
All_Email receiver_email string
All_Email size number The size of the message, in bytes.
All_Email src_user string The email address of the message sender.
All_Email status_code string The status code associated with the message.
All_Email user string The user context for the process. This is not the email address for the sender. For that, look at the src_user field.
All_Email orig_src string The original source of the message.

IMAP

Object name(s) Field name Data type Description Possible values
All_Email app string
All_Email action string Action taken by the reporting device. delivered, blocked, quarantined, unknown
All_Email delay number Total sending delay in seconds.
All_Email file_name string The name(s) of the file(s) attached to the message, if any exist.
All_Email process string The name of the email executable that carries out the message transaction, such as sendmail, postfix, or the name of an email client.
All_Email protocol string The email protocol involved, such as SMTP or RPC.
All_Email size number The size of the message, in bytes.
All_Email status_code string The status code associated with the message.

Network Resolution

DNS

Object name(s) Field name Data type Description Possible values
DNS answer string Resolved address for the query.
DNS answer_count string Number of entries in the answer section of the DNS message.
DNS additional_answer_count string Number of entries in the "additional" section of the DNS message.
DNS authority_answer_count string Number of entries in the "authority" section of the DNS message.
DNS query_count string Number of entries that appear in the "Questions" section of the DNS query.

Network Sessions

DHCP

Object name(s) Field name Data type Description Possible values
DHCP lease_duration number The duration of the Dynamic Host Configuration Protocol (DHCP) lease, in seconds.

Network Traffic

Object name(s) Field name Data type Description Possible values
All_Traffic app string The application protocol of the traffic.
All_Traffic bytes number Total count of bytes handled by this device/interface (bytes_in + bytes_out).
All_Traffic bytes_in number How many bytes this device/interface received.
All_Traffic bytes_out number How many bytes this device/interface transmitted.
All_Traffic dest string The destination of the network traffic (the remote host). May be aliased from more specific fields, such as dest_host, dest_ip, or dest_name.
All_Traffic dest_ip string The IP address of the destination.
All_Traffic dest_mac string The destination TCP/IP layer 2 Media Access Control (MAC) address of a packet's destination, such as 06:10:9f:eb:8f:14.
All_Traffic dest_port number The destination port of the network traffic.
All_Traffic duration string The amount of time for the completion of the network event, in seconds.
All_Traffic response_time string The amount of time it took to receive a response in the network event, if applicable.
All_Traffic src string The source of the network traffic (the client requesting the connection). May be aliased from more specific fields, such as src_host, src_ip, or src_name.
All_Traffic src_ip string The ip address of the source.
All_Traffic src_mac string The source TCP/IP layer 2 Media Access Control (MAC) address of a packet's destination, such as 06:10:9f:eb:8f:14. Note: Always force lower case on this field.
All_Traffic src_port number The source port of the network traffic.
All_Traffic transport string The OSI layer 4 (transport) protocol of the traffic observed, in lower case.
All_Traffic user string The user that requested the traffic flow.

Web

HTTP

Object name(s) Field name Data type Description Possible values
Web action string The action taken by the server or proxy.
Web app string The app recording the data, such as IIS, Squid, or Bluecoat.
Web bytes number The total number of bytes transferred (bytes_in + bytes_out).
Web bytes_in number The number of inbound bytes transferred.
Web bytes_out number The number of outbound bytes transferred.
Web cookie string The cookie file recorded in the event.
Web dest string The destination of the network traffic (the remote host).
Web duration number The time taken by the proxy event, in milliseconds.
Web http_content_type string The content-type of the requested HTTP resource.
Web http_method string The HTTP method used in the request. GET, PUT,POST, DELETE, etc.
Web http_referrer string The HTTP referrer used in the request. The W3C specification and many implementations misspell this as http_referer. A FIELDALIAS is recommended to handle both key names.
Web http_user_agent string The user agent used in the request.
Web response_time number The amount of time it took to receive a response, if applicable, in milliseconds.
Web src string The source of the network traffic (the client requesting the connection).
Web status string The HTTP response code indicating the status of the proxy request. 404, 302, 500, and so on.
Web uri_path string The universal resource indicator path of the resource served by the webserver or proxy.
Web uri_query string The universal resource indicator path of the resource requested by the client.
Web url string The URL of the requested HTTP resource.
Web user string The user that requested the HTTP resource.
PREVIOUS
Streaming Media
  NEXT
Install Splunk Stream

This documentation applies to the following versions of Splunk Stream: 7.0.0, 7.0.1


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters