Protocols that map to Splunk CIM
The Splunk Common Information Model (CIM) provides data models that help you build searches of event data. Splunk data models generate search strings based on the data model objects and fields that you specify. Splunk App for Stream supports several protocols that map directly to the Splunk CIM.
Splunk App for Stream supports the following data models in Splunk_SA_CIM:
Authentication
| Object name(s)
|
Field name
|
Data type
|
Description
|
| Authentication
|
user
|
string
|
Generic name for the class of the updated resource object. Expected values may be specific to an App.
|
Change Analysis
XMPP
| Object name(s)
|
Field name
|
Data type
|
Description
|
| All_Changes
|
object_category
|
string
|
Generic name for the class of the updated resource object. Expected values may be specific to an App.
|
| Filesystem_Changes
|
file_name
|
string
|
The name of the file that is the object of the event (without location information related to local file or directory structure).
|
| Filesystem_Changes
|
file_access_time
|
string
|
The time the file (the object of the event) was accessed.
|
| Filesystem_Changes
|
file_hash
|
string
|
A cryptographic identifier assigned to the file object affected by the event.
|
| Filesystem_Changes
|
file_size
|
string
|
The size of the file that is the object of the event, in kilobytes.
|
Certificates
TCP
| Object name(s)
|
Field name
|
Data type
|
Description
|
| All_Certificates
|
dest
|
string
|
The target in the certificate management event.
|
| All_Certificates
|
duration
|
number
|
The amount of time for the completion of the certificate management event, in seconds.
|
| All_Certificates
|
response_time
|
number
|
The amount of time it took to receive a response in the certificate management event, if applicable.
|
| All_Certificates
|
src
|
string
|
The source involved in the certificate management event. May be aliased from more specific fields, such as src_host, src_ip, or src_nt_host.
|
| All_Certificates
|
transport
|
string
|
The transport protocol of the Network Traffic involved with this certificate.
|
| SSL
|
ssl_end_time
|
string
|
The expiration time of the certificate.
|
| SSL
|
ssl_hash
|
string
|
The certificate hash.
|
| SSL
|
ssl_issuer
|
string
|
The certificate issuer's RFC2253 Distinguished Name.
|
| SSL
|
ssl_issuer_common_name
|
string
|
The certificate issuer common name.
|
| SSL
|
ssl_issuer_email
|
string
|
The certificate issuer email address.
|
| SSL
|
ssl_issuer_locality
|
string
|
The certificate issuer locality.
|
| SSL
|
ssl_issuer_organization
|
string
|
The certificate issuer organization.
|
| SSL
|
ssl_issuer_state
|
string
|
The certificate issuer state of residence.
|
| SSL
|
ssl_issuer_street
|
string
|
The certificate issuer street address.
|
| SSL
|
ssl_issuer_unit
|
string
|
The certificate issuer organizational unit.
|
| SSL
|
ssl_serial
|
string
|
The certificate serial number.
|
| SSL
|
ssl_session_id
|
string
|
The session identifier for this certificate.
|
| SSL
|
ssl_start_time
|
string
|
This is the start date and time for this certificate's validity.
|
| SSL
|
ssl_subject
|
string
|
The certificate owner RFC2253 Distinguished Name.
|
| SSL
|
ssl_subject_common_name
|
string
|
This certificate owner common name.
|
| SSL
|
ssl_subject_email
|
string
|
The certificate owner e-mail address.
|
| SSL
|
ssl_subject_locality
|
string
|
The certificate owner locality.
|
| SSL
|
ssl_subject_state
|
string
|
The certificate owner state of residence.
|
| SSL
|
ssl_subject_street
|
string
|
The certificate owner street address.
|
| SSL
|
ssl_subject_unit
|
string
|
The certificate owner organizational unit.
|
| SSL
|
ssl_version
|
string
|
The SSL version of this certificate.
|
Databases
Splunk App for Stream supports these objects and fields in the Databases data model for MySQL, PostgreSQL, Sybase TDS, and Oracle TNS:
| Object name(s)
|
Field name
|
Data type
|
Description
|
| All_Databases
|
user
|
string
|
The Name of the database process user.
|
| All_Databases
|
object
|
string
|
The name of the database object.
|
| Database_instance
|
instance_name
|
string
|
The name of the database_instance
|
| Database_instance
|
database_version
|
string
|
The version of the database_instance
|
| Database_Query
|
query
|
string
|
The database query used for the transaction
|
| Database_Query
|
query_time
|
string
|
The time the system initiated the database query
|
Email
Splunk App for Stream supports these objects and fields in the Email data model:
SMTP
| Object name(s)
|
Field name
|
Data type
|
Description
|
Possible values
|
| All_Email
|
app
|
string
|
|
|
| All_Email
|
action
|
string
|
Action taken by the reporting device.
|
delivered, blocked, quarantined, unknown
|
| All_Email
|
delay
|
number
|
Total sending delay in seconds.
|
|
| All_Email
|
file_name
|
string
|
The name(s) of the file(s) attached to the message, if any exist
|
|
| All_Email
|
process
|
string
|
The name of the email executable that carries out the message transaction, such as sendmail, postfix, or the name of an email client
|
|
| All_Email
|
protocol
|
string
|
The email protocol involved, such as SMTP or RPC
|
|
| All_Email
|
recipient
|
string
|
A field listing individual recipient email addresses, such as recipient="foo@splunk.com", recipient="bar@splunk.com"
|
|
| All_Email
|
recipient_count
|
number
|
The total number of intended message recipients
|
|
| All_Email
|
size
|
number
|
The size of the message, in bytes
|
|
| All_Email
|
src_user
|
string
|
The email address of the message sender
|
|
| All_Email
|
status_code
|
string
|
The status code associated with the message
|
|
POP3
| Object name(s)
|
Field name
|
Data type
|
Description
|
Possible values
|
| All_Email
|
app
|
string
|
|
|
| All_Email
|
action
|
string
|
Action taken by the reporting device
|
delivered, blocked, quarantined, unknown
|
| All_Email
|
delay
|
number
|
Total sending delay in seconds
|
|
| All_Email
|
file_name
|
string
|
The name(s) of the file(s) attached to the message, if any exist
|
|
| All_Email
|
protocol
|
string
|
The email protocol involved, such as SMTP or RPC
|
|
| All_Email
|
recipient
|
string
|
A field listing individual recipient email addresses, such as recipient="foo@splunk.com", recipient="bar@splunk.com"
|
|
| All_Email
|
receiver_email
|
string
|
|
|
| All_Email
|
size
|
number
|
The size of the message, in bytes
|
|
| All_Email
|
src_user
|
string
|
The email address of the message sender
|
|
| All_Email
|
status_code
|
string
|
The status code associated with the message
|
|
| All_Email
|
user
|
string
|
This is the user context for the process. This is not the email address for the sender, for that, look at the src_user field.
|
|
| All_Email
|
orig_src
|
string
|
The original source of the message
|
|
IMAP
| Object name(s)
|
Field name
|
Data type
|
Description
|
Possible values
|
| All_Email
|
app
|
string
|
|
|
| All_Email
|
action
|
string
|
Action taken by the reporting device
|
delivered, blocked, quarantined, unknown
|
| All_Email
|
delay
|
number
|
Total sending delay in seconds
|
|
| All_Email
|
file_name
|
string
|
The name(s) of the file(s) attached to the message, if any exist
|
|
| All_Email
|
process
|
string
|
This is the name of the email executable that carries out the message transaction, such as sendmail, postfix, or the name of an email client.
|
|
| All_Email
|
protocol
|
string
|
The email protocol involved, such as SMTP or RPC
|
|
| All_Email
|
size
|
number
|
The size of the message, in bytes
|
|
| All_Email
|
status_code
|
string
|
The status code associated with the message
|
|
Network Resolution
DNS
| Object name(s)
|
Field name
|
Data type
|
Description
|
Possible values
|
| DNS
|
answer
|
string
|
Resolved address for the query
|
| DNS
|
answer_count
|
string
|
Number of entries in the answer section of the DNS message
|
| DNS
|
additional_answer_count
|
string
|
Number of entries in the "additional" section of the DNS message
|
| DNS
|
authority_answer_count
|
string
|
Number of entries in the "authority" section of the DNS message
|
| DNS
|
query_count
|
string
|
Number of entries that appear in the "Questions" section of the DNS query
|
Network Sessions
DHCP
| Object name(s)
|
Field name
|
Data type
|
Description
|
Possible values
|
| DHCP
|
lease_duration
|
number
|
The duration of the Dynamic Host Configuration Protocol (DHCP) lease, in seconds
|
Network Traffic
| Object name(s)
|
Field name
|
Data type
|
Description
|
Possible values
|
| All_Traffic
|
app
|
string
|
The application protocol of the traffic
|
| All_Traffic
|
bytes
|
number
|
Total count of bytes handled by this device/interface (bytes_in + bytes_out)
|
| All_Traffic
|
bytes_in
|
number
|
How many bytes this device/interface received
|
| All_Traffic
|
bytes_out
|
number
|
How many bytes this device/interface transmitted
|
| All_Traffic
|
dest
|
string
|
This is the destination of the network traffic (the remote host). This may be aliased from more specific fields, such as dest_host, dest_ip, or dest_name.
|
| All_Traffic
|
dest_ip
|
string
|
The IP address of the destination
|
| All_Traffic
|
dest_mac
|
string
|
The destination TCP/IP layer 2 Media Access Control (MAC) address of a packet's destination, such as 06:10:9f:eb:8f:14
|
| All_Traffic
|
dest_port
|
number
|
The destination port of the network traffic
|
| All_Traffic
|
duration
|
string
|
The amount of time for the completion of the network event, in seconds.
|
| All_Traffic
|
response_time
|
string
|
The amount of time it took to receive a response in the network event, if applicable
|
| All_Traffic
|
src
|
string
|
This is the source of the network traffic (the client requesting the connection). It may be aliased from more specific fields, such as src_host, src_ip, or src_name.
|
| All_Traffic
|
src_ip
|
string
|
The iP address of the source
|
| All_Traffic
|
src_mac
|
string
|
This is the source TCP/IP layer 2 Media Access Control (MAC) address of a packet's destination, such as 06:10:9f:eb:8f:14. Note: Always force lower case on this field.
|
| All_Traffic
|
src_port
|
number
|
The source port of the network traffic
|
| All_Traffic
|
transport
|
string
|
The OSI layer 4 (transport) protocol of the traffic observed, in lower case
|
| All_Traffic
|
user
|
string
|
The user that requested the traffic flow
|
Web
HTTP
| Object name(s)
|
Field name
|
Data type
|
Description
|
Possible values
|
| Web
|
action
|
string
|
The action taken by the server or proxy
|
| Web
|
app
|
string
|
The app recording the data, such as IIS, Squid, or Bluecoat
|
| Web
|
bytes
|
number
|
The total number of bytes transferred (bytes_in + bytes_out)
|
| Web
|
bytes_in
|
number
|
The number of inbound bytes transferred
|
| Web
|
bytes_out
|
number
|
The number of outbound bytes transferred
|
| Web
|
cookie
|
string
|
The cookie file recorded in the event
|
| Web
|
dest
|
string
|
The destination of the network traffic (the remote host)
|
| Web
|
duration
|
number
|
The time taken by the proxy event, in milliseconds
|
| Web
|
http_content_type
|
string
|
The content-type of the requested HTTP resource
|
| Web
|
http_method
|
string
|
The HTTP method used in the request
|
GET, PUT,POST, DELETE, etc
|
| Web
|
http_referrer
|
string
|
This is the HTTP referrer used in the request. The W3C specification and many implementations misspell this as http_referer. A FIELDALIAS is recommended to handle both key names.
|
| Web
|
http_user_agent
|
string
|
The user agent used in the request
|
| Web
|
response_time
|
number
|
The amount of time it took to receive a response, if applicable, in milliseconds
|
| Web
|
src
|
string
|
The source of the network traffic (the client requesting the connection)
|
| Web
|
status
|
string
|
The HTTP response code indicating the status of the proxy request
|
404, 302, 500, and so on
|
| Web
|
uri_path
|
string
|
The universal resource indicator path of the resource served by the webserver or proxy
|
| Web
|
uri_query
|
string
|
The universal resource indicator path of the resource requested by the client
|
| Web
|
url
|
string
|
The URL of the requested HTTP resource
|
| Web
|
user
|
string
|
The user that requested the HTTP resource
|
Download manual
Feedback submitted, thanks!