Splunk Stream

Installation and Configuration Manual

This documentation does not apply to the most recent version of Splunk Stream. For documentation on the most recent version, go to the latest release.

Protocols that map to Splunk CIM

The Splunk Common Information Model (CIM) provides data models that help you build searches of event data. Splunk data models generate search strings based on the data model objects and fields that you specify. Splunk App for Stream supports several protocols that map directly to the Splunk CIM.

Splunk App for Stream supports the following data models in Splunk_SA_CIM:

Authentication

Object name(s) Field name Data type Description
Authentication user string Generic name for the class of the updated resource object. Expected values may be specific to an App.

Change Analysis

XMPP

Object name(s) Field name Data type Description
All_Changes object_category string Generic name for the class of the updated resource object. Expected values may be specific to an App.
Filesystem_Changes file_name string The name of the file that is the object of the event (without location information related to local file or directory structure).
Filesystem_Changes file_access_time string The time the file (the object of the event) was accessed.
Filesystem_Changes file_hash string A cryptographic identifier assigned to the file object affected by the event.
Filesystem_Changes file_size string The size of the file that is the object of the event, in kilobytes.

Certificates

TCP

Object name(s) Field name Data type Description
All_Certificates dest string The target in the certificate management event.
All_Certificates duration number The amount of time for the completion of the certificate management event, in seconds.
All_Certificates response_time number The amount of time it took to receive a response in the certificate management event, if applicable.
All_Certificates src string The source involved in the certificate management event. May be aliased from more specific fields, such as src_host, src_ip, or src_nt_host.
All_Certificates transport string The transport protocol of the Network Traffic involved with this certificate.
SSL ssl_end_time string The expiration time of the certificate.
SSL ssl_hash string The certificate hash.
SSL ssl_issuer string The certificate issuer's RFC2253 Distinguished Name.
SSL ssl_issuer_common_name string The certificate issuer common name.
SSL ssl_issuer_email string The certificate issuer email address.
SSL ssl_issuer_locality string The certificate issuer locality.
SSL ssl_issuer_organization string The certificate issuer organization.
SSL ssl_issuer_state string The certificate issuer state of residence.
SSL ssl_issuer_street string The certificate issuer street address.
SSL ssl_issuer_unit string The certificate issuer organizational unit.
SSL ssl_serial string The certificate serial number.
SSL ssl_session_id string The session identifier for this certificate.
SSL ssl_start_time string This is the start date and time for this certificate's validity.
SSL ssl_subject string The certificate owner RFC2253 Distinguished Name.
SSL ssl_subject_common_name string This certificate owner common name.
SSL ssl_subject_email string The certificate owner e-mail address.
SSL ssl_subject_locality string The certificate owner locality.
SSL ssl_subject_state string The certificate owner state of residence.
SSL ssl_subject_street string The certificate owner street address.
SSL ssl_subject_unit string The certificate owner organizational unit.
SSL ssl_version string The SSL version of this certificate.

Databases

Splunk App for Stream supports these objects and fields in the Databases data model for MySQL, PostgreSQL, Sybase TDS, and Oracle TNS:

Object name(s) Field name Data type Description
All_Databases user string The Name of the database process user.
All_Databases object string The name of the database object.
Database_instance instance_name string The name of the database_instance
Database_instance database_version string The version of the database_instance
Database_Query query string The database query used for the transaction
Database_Query query_time string The time the system initiated the database query

Email

Splunk App for Stream supports these objects and fields in the Email data model:

SMTP

Object name(s) Field name Data type Description Possible values
All_Email app string
All_Email action string Action taken by the reporting device. delivered, blocked, quarantined, unknown
All_Email delay number Total sending delay in seconds.
All_Email file_name string The name(s) of the file(s) attached to the message, if any exist
All_Email process string The name of the email executable that carries out the message transaction, such as sendmail, postfix, or the name of an email client
All_Email protocol string The email protocol involved, such as SMTP or RPC
All_Email recipient string A field listing individual recipient email addresses, such as recipient="foo@splunk.com", recipient="bar@splunk.com"
All_Email recipient_count number The total number of intended message recipients
All_Email size number The size of the message, in bytes
All_Email src_user string The email address of the message sender
All_Email status_code string The status code associated with the message

POP3

Object name(s) Field name Data type Description Possible values
All_Email app string
All_Email action string Action taken by the reporting device delivered, blocked, quarantined, unknown
All_Email delay number Total sending delay in seconds
All_Email file_name string The name(s) of the file(s) attached to the message, if any exist
All_Email protocol string The email protocol involved, such as SMTP or RPC
All_Email recipient string A field listing individual recipient email addresses, such as recipient="foo@splunk.com", recipient="bar@splunk.com"
All_Email receiver_email string
All_Email size number The size of the message, in bytes
All_Email src_user string The email address of the message sender
All_Email status_code string The status code associated with the message
All_Email user string This is the user context for the process. This is not the email address for the sender, for that, look at the src_user field.
All_Email orig_src string The original source of the message

IMAP

Object name(s) Field name Data type Description Possible values
All_Email app string
All_Email action string Action taken by the reporting device delivered, blocked, quarantined, unknown
All_Email delay number Total sending delay in seconds
All_Email file_name string The name(s) of the file(s) attached to the message, if any exist
All_Email process string This is the name of the email executable that carries out the message transaction, such as sendmail, postfix, or the name of an email client.
All_Email protocol string The email protocol involved, such as SMTP or RPC
All_Email size number The size of the message, in bytes
All_Email status_code string The status code associated with the message

Network Resolution

DNS

Object name(s) Field name Data type Description Possible values
DNS answer string Resolved address for the query
DNS answer_count string Number of entries in the answer section of the DNS message
DNS additional_answer_count string Number of entries in the "additional" section of the DNS message
DNS authority_answer_count string Number of entries in the "authority" section of the DNS message
DNS query_count string Number of entries that appear in the "Questions" section of the DNS query

Network Sessions

DHCP

Object name(s) Field name Data type Description Possible values
DHCP lease_duration number The duration of the Dynamic Host Configuration Protocol (DHCP) lease, in seconds

Network Traffic

Object name(s) Field name Data type Description Possible values
All_Traffic app string The application protocol of the traffic
All_Traffic bytes number Total count of bytes handled by this device/interface (bytes_in + bytes_out)
All_Traffic bytes_in number How many bytes this device/interface received
All_Traffic bytes_out number How many bytes this device/interface transmitted
All_Traffic dest string This is the destination of the network traffic (the remote host). This may be aliased from more specific fields, such as dest_host, dest_ip, or dest_name.
All_Traffic dest_ip string The IP address of the destination
All_Traffic dest_mac string The destination TCP/IP layer 2 Media Access Control (MAC) address of a packet's destination, such as 06:10:9f:eb:8f:14
All_Traffic dest_port number The destination port of the network traffic
All_Traffic duration string The amount of time for the completion of the network event, in seconds.
All_Traffic response_time string The amount of time it took to receive a response in the network event, if applicable
All_Traffic src string This is the source of the network traffic (the client requesting the connection). It may be aliased from more specific fields, such as src_host, src_ip, or src_name.
All_Traffic src_ip string The iP address of the source
All_Traffic src_mac string This is the source TCP/IP layer 2 Media Access Control (MAC) address of a packet's destination, such as 06:10:9f:eb:8f:14. Note: Always force lower case on this field.
All_Traffic src_port number The source port of the network traffic
All_Traffic transport string The OSI layer 4 (transport) protocol of the traffic observed, in lower case
All_Traffic user string The user that requested the traffic flow

Web

HTTP

Object name(s) Field name Data type Description Possible values
Web action string The action taken by the server or proxy
Web app string The app recording the data, such as IIS, Squid, or Bluecoat
Web bytes number The total number of bytes transferred (bytes_in + bytes_out)
Web bytes_in number The number of inbound bytes transferred
Web bytes_out number The number of outbound bytes transferred
Web cookie string The cookie file recorded in the event
Web dest string The destination of the network traffic (the remote host)
Web duration number The time taken by the proxy event, in milliseconds
Web http_content_type string The content-type of the requested HTTP resource
Web http_method string The HTTP method used in the request GET, PUT,POST, DELETE, etc
Web http_referrer string This is the HTTP referrer used in the request. The W3C specification and many implementations misspell this as http_referer. A FIELDALIAS is recommended to handle both key names.
Web http_user_agent string The user agent used in the request
Web response_time number The amount of time it took to receive a response, if applicable, in milliseconds
Web src string The source of the network traffic (the client requesting the connection)
Web status string The HTTP response code indicating the status of the proxy request 404, 302, 500, and so on
Web uri_path string The universal resource indicator path of the resource served by the webserver or proxy
Web uri_query string The universal resource indicator path of the resource requested by the client
Web url string The URL of the requested HTTP resource
Web user string The user that requested the HTTP resource
Last modified on 03 March, 2022
Streaming Media   Splunk Stream test environments

This documentation applies to the following versions of Splunk Stream: 7.3.0, 7.4.0, 8.0.0


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters