Versions Compared

Old Version 11

changes.mady.by.user Youlia Ushakova

Saved on

compared with

New Version 12

changes.mady.by.user Youlia Ushakova

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Migration of unmigrated content due to installation of a new plugin

This section contains information about fields that are included in the reports and dashboards. You can find the commonly extracted fields and their specifications such as data source and range, which can help you better define your dashboards and searches.

Splunk default fields

Splunk server adds the following default fields to each event in every index.

Field Name

Description

Values/Range

Anchor
date_hour
date_hour
date_hour

Indicates the hour when an event occurred. To narrow your search for specific event timestamps, you can use the default datetime fields. Click here for more information on datetime fields.

Range: 0-23

Anchor
date_mday
date_mday
date_mday

Indicates the day of the month when the event occurred

Range: 1-31

Anchor
date_minute
date_minute
date_minute

Indicates the exact minute when the event occurred

Range: 0-59

Anchor
date_month
date_month
date_month

Indicates the month during which an event occurred


Anchor
date_second
date_second
date_second

Indicates the second in which an event occurred

Range: 0-59

Anchor
date_wday
date_wday
date_wday

Indicates the day of the week in which an event occurred

Example: Sunday, Monday, etc.

Anchor
date_year
date_year
date_year

Indicates the year in which an event occurred


Anchor
date_zone
date_zone
date_zone

Indicates the time for the local timezone of an event, expressed as hours in Unix Time


Anchor
eventtype
eventtype
eventtype

Indicates events of the same type based on a given search. Click here for more information

Example: splunkd-log

Anchor
host
host
host

Contains information about the originating hostname or a network IP address that generates the event

Example: reporting-1.com

Anchor
index
index
index

Contains the name of the index with which a given event is indexed

Example: ib_dns_summary

Anchor
linecount
linecount
linecount

Contains information about the number of lines in an event before it is indexed

Example: 1

Anchor
punct
punct
punct

Contains information about the pattern of the first thirty punctuation characters in the first line of the event with which it is associated. It shows how an event looks when all letters, numbers, and spaces are removed and contains characters such as periods, colons, parentheses, quotes, question marks, dashes, and underscores. Click here for more information.



Wiki Markup
Example: -_::._\[\]:___.../_=



Anchor
source
source
source

Contains the name of the file, stream, or other input details from which the event originates

Example: si-search-dns-query-reply

Anchor
sourcetype
sourcetype
sourcetype

Specifies the format of data input from which the event originates

Stash

Anchor
splunk_server
splunk_server
splunk_server

Contains the name of the Splunk server that comprises the event

Example: reporting-2.com-2-slave

Anchor
splunk_server_group
splunk_server_group
splunk_server_group

Contains the name of the Splunk server group

String


Anchor
_Commonly_extracted_fields
_Commonly_extracted_fields
Commonly extracted fields


Field Name

Description

Values/Range

Anchor
EA
EA
EA

Specifies the extensible attribute

String

Anchor
HWTYPE
HWTYPE
HWTYPE

Specifies the hardware type

Example: IB-4030

Anchor
MAX_DB_OBJECTS
MAX_DB_OBJECTS
MAX_DB_OBJECTS

Specifies the maximum objects in the database for a host

eg: 8000000

Anchor
MAX_DHCP_LPS
MAX_DHCP_LPS
MAX_DHCP_LPS

Specifies the maximum number of DHCP leases per second for a host

Example: 15.0

Anchor
MAX_DNS_QPS
MAX_DNS_QPS
MAX_DNS_QPS

Specifies the maximum DNS queries per second for a host

Example: 1000000.0

Anchor
Member_IP
Member_IP
MEMBER_IP

Specifies the IP address of the member

IP address

Anchor
timeendpos
timeendpos
timeendpos

Specifies the byte at which the timestamp ends. These values are based on the TIME_FORMAT that is specified for a sourcetype.

Example: 26

Anchor
timestartpos
timestartpos
timestartpos

Specifies the byte at which the timestamp starts

Example: 0

Indexes and Extracted Data

...

Extracted Field NameDescription of the fieldValues/RangeSource of Data
ACTIONIndicates the action takenString. Example: CalledInfoblox audit logs
ADMINIndicates the name of the adminString. Example: rootInfoblox audit logs
EACommon Extracted fields

EXEC_STATUSIndicates the execution statusString. Example: Pending ApprovalInfoblox audit logs
HWTYPECommon Extracted fields

MAX_DB_OBJECTSCommon Extracted fields

MAX_DHCP_LPSCommon Extracted fields

MAX_DNS_QPSCommon Extracted fields

MEMBER_IPCommon Extracted fields

MESSAGEIndicates the messageString. Example: to=Serial
040Console apparently_via=Direct auth=Local group=.admin-group		Infoblox audit logs
OBJECT_NAMEIndicates the object name

String. Example: RequestRestartServiceStatus

Infoblox audit logs
OBJECT_TYPEIndicates the object typeString. Example: Shared AAAA RecordInfoblox audit logs
TIMESTAMPIndicates the timestampTimestamp. Example: 2017-01-31 01:57:05Infoblox audit logs
actionIndicates the actionExample: update, insertInfoblox audit logs
address
Example: 10.0.0.0Infoblox audit logs
auth
Example: LocalInfoblox audit logs
cidr
Example: 8Infoblox audit logs
code
Example: createdInfoblox audit logs
comment
StringInfoblox audit logs
date_hourSplunk Default field

date_mdaySplunk Default field

date_minuteSplunk Default field

date_monthSplunk Default field

date_secondSplunk Default field

date_wdaySplunk Default field

date_yearSplunk Default field

date_zoneSplunk Default field

eventtypeSplunk Default field

group
Example: admin-groupInfoblox audit logs
hostSplunk Default field

indexSplunk Default field

linecountSplunk Default field

member
Example: Member:infoblox.localdomainInfoblox audit logs
network_view
Example: defaultInfoblox audit logs
punctSplunk Default field

sourceSplunk Default field

sourcetypeSplunk Default field

splunk_serverSplunk Default field

splunk_server_groupSplunk Default field

user
Example: adminInfoblox audit logs

Infoblox DNS Query, DNS Performance, DDNS, DNS Record Scavenging

Extracted Field NameDescription of the fieldValues/RangeSource of Data
CLIENTIndicates the DNS clientStringInfoblox DNS query

Anchor
COUNT
COUNT
COUNT

Indicates the countInteger

Infoblox DNS query and DNS Record Scavenging

EACommon Extracted fields

FQDNIndicates the FQDNStringInfoblox DNS query
HITSIndicates the DNS cache hits countIntegerInfoblox DNS query
HNAMEIndicates the HNAMEStringInfoblox DNS query
HWTYPECommon Extracted fields

Anchor
LATENCY
LATENCY
LATENCY

Indicates the latency countIntegerInfoblox DNS performance
MAX_DB_OBJECTSCommon Extracted fields

MAX_DHCP_LPSCommon Extracted fields

MAX_DNS_QPSCommon Extracted fields

MEMBERSpecifies the memberStringDNS Record Scavenging
MEMBER_IPCommon Extracted fields

MISSESSpecifies DNS cache miss countIntegerInfoblox DNS query

Anchor
QCOUNT
QCOUNT
QCOUNT

Specifies query countIntegerInfoblox DNS query
RESTRESTStringInfoblox DDNS
SOURCESOURCEStringInfoblox DDNS
SOURCEASOURCEAIP addressInfoblox DDNS
TLDSpecifies the top-level domain nameStringInfoblox DNS query
TYPERR TypeString. Example: nxdomain

Infoblox DNS query and DNS Record Scavenging

TYPEATYPEAString. Example: SuccessInfoblox DDNS
VIEWIt refers to the DNS view key to map DNS view through lookup. See display_name field.StringInfoblox DNS query
ZONEIndicates the name of the zoneStringInfoblox DDNS
date_hourSplunk Default field

date_mdaySplunk Default field

date_minuteSplunk Default field

date_monthSplunk Default field

date_secondSplunk Default field

date_wdaySplunk Default field

date_yearSplunk Default field

date_zoneSplunk Default field

Anchor
display_name
display_name
display_name
Specifies the name of the DNS viewString
eventtypeSplunk Default field

failureSpecifies the DNS FAILURE query countInteger
hostSplunk Default field

indexSplunk Default field

linecountSplunk Default field

nxdomainSpecifies the DNS NXDOMAIN query countInteger
nxrrsetSpecifies the DNS NXRRSET query countInteger
otherSpecifies the DNS other query countInteger
punctSplunk Default field

referralSpecifies the DNS REFERRAL query countInteger
sourceSplunk Default field

sourcetypeSplunk Default field

splunk_serverSplunk Default field

splunk_server_groupSplunk Default field

successSpecifies the DNS success query count

timeendposCommon extracted fields

timestartposCommon extracted fields

Infoblox DNS Query Capture

Extracted Field NameDescription of the fieldValues/RangeSource of Data
EACommon Extracted fields

HWTYPECommon Extracted fields

MAX_DB_OBJECTSCommon Extracted fields

MAX_DHCP_LPSCommon Extracted fields

MAX_DNS_QPSCommon Extracted fields

MEMBER_IPCommon Extracted fields

answer_countSpecifies the answer countIntegerInfoblox DNS query capture
date_hourSplunk Default field

date_mdaySplunk Default field

date_minuteSplunk Default field

date_monthSplunk Default field

date_secondSplunk Default field

date_wdaySplunk Default field

date_yearSplunk Default field

date_zoneSplunk Default field

display_nameSpecifies the DNS viewString
eventtypeSplunk Default field

flag_aaFlag AABoolean. Example: YInfoblox DNS query capture
flag_adFlag ADBoolean. Example: YInfoblox DNS query capture
flag_ednsFlag EDNSBoolean. Example: YInfoblox DNS query capture
flag_recursionFlag RecursionBoolean. Example: YInfoblox DNS query capture
hostSplunk Default field

host_classSpecifies the host classExample: INInfoblox DNS query capture
host_typeSpecifies the host typeExample: PTRInfoblox DNS query capture
indexSplunk Default field

linecountSplunk Default field

message_typeSpecifies the message typeExample: Query or ResponseInfoblox DNS query capture
nameSpecifies the nameHost name. Example: 1.0.0.127.in-addr.arpaInfoblox DNS query capture
querySpecifies the queryHost name. Example: 213.31.102.10.in-addr.arpaInfoblox DNS query capture
query_classSpecifies the query classExample: INInfoblox DNS query capture
query_countSpecifies the query countInteger. Example: 1Infoblox DNS query capture
query_sourceSpecifies the query sourceExample: I, EInfoblox DNS query capture
query_typeSpecifies the DNS query typeExample: PTRInfoblox DNS query capture
rdataRDATAString. This value depends on the query type.Infoblox DNS query capture
reply_codeSpecifies the reply codeString. Example: ServFail, NoErrorInfoblox DNS query capture
sourceSplunk Default field

sourcetypeSplunk Default field

splunk_serverSplunk Default field

splunk_server_groupSplunk Default field

src_ipSpecifies the source IPIP AddressInfoblox DNS query capture
src_portSpecifies the source portIntegerInfoblox DNS query capture
time_msecSpecifies time in millisecondsIntegerInfoblox DNS query capture
timeendposCommon extracted fields

timestampIndicates the timestampIntegerInfoblox DNS query capture
timestartposCommon Extracted fields

transportSpecifies the mode of transportExample: UDP, TCPInfoblox DNS query capture
ttlSpecifies the TTLInteger. Example: 3600Infoblox DNS query capture
viewSpecifies the viewExample: 1, 2Infoblox DNS query capture

Infoblox DHCP Performance

...

Extracted Field NameDescription of the fieldReportsValues/RangeSource of DataRemarks
CLIENTSpecifies the IP address of the DNS client
Example: 10.39.18.60

COUNTSpecifies the count of DNS queriessi_dns_top_clientsInteger


Specifies the count of SERVFAIL errors that are received for DNS clientssi_top_servfail_received_queriesInteger


Specifies the count of NXDOMAIN/NOERROR replies for DNS clientssi_top_nxdomain_queryInteger


Specifies the count of DNS domain name requestssi_dns_requested_domainInteger


Specifies the count of DNS queries per secondsi_dns_qps_trendInteger


Specifies the count of DNS SERVFAIL errors that are sent for DNS queriessi_top_servfail_sent_queriesInteger


Specifies the count of DNS timed-out recursive queriessi_top_timeout_queriesInteger


Specifies the average count of DNS RPX hitssi_dns_rpz_hitsInteger


Specifies the count of DNS clients per domainsi_top_clients_per_domainInteger

EACommon Extracted fields



FQDNSpecifies the fully qualified domain namesi_dns_requested_domain and
si_top_clients_per_domain		Example: 213.31.102.10.in-addr.arpa

HWTYPECommon Extracted fields



MAX_DB_OBJECTSCommon Extracted fields



MAX_DHCP_LPSCommon Extracted fields



MAX_DNS_QPSCommon Extracted fields



MEMBERSpecifies the member
StringInfoblox DNS Summary
MEMBER_IPCommon Extracted fields



TLDSpecifies top level domain namessi_dns_requested_domainExample: arpa

TYPESpecifies the DNS response typesi_dns_query_reply,
si_dns_qps_trend, and
si_ddns_update		SUCCESS/NOERROR OR
REFERRAL OR
NXRRSET OR
NXDOMAIN OR
REFUSED OR
OTHER

VIEWIt refers to the DNS view key to map DNS view through lookup. See display_name field.si_dns_requested_domain,
si_dns_top_clients,
si_dns_member_qps_trend_per_hour, si_dns_member_qps_trend_per_day,
si_dns_member_qps_trend,
si_dns_qps_trend,
si_ddns_update,
si_dns_cache_hit_ratio,
si_dns_rpz_hits,
si_top_clients_per_domain,
si_top_timeout_queries,
si_top_servfail_sent_queries,
si_top_nxdomain_query, and
si_top_servfail_received_queries		Example: _default

date_hourSplunk Default field



date_mdaySplunk Default field



date_minuteSplunk Default field



date_monthSplunk Default field



date_secondSplunk Default field



date_wdaySplunk Default field



date_yearSplunk Default field



date_zoneSplunk Default field



display_nameSpecifies the DNS viewsi_dns_requested_domain,
si_dns_top_clients,
si_dns_member_qps_trend_per_hour,
si_dns_member_qps_trend_per_day,
si_dns_member_qps_trend,
si_dns_qps_trend,
si_ddns_update,
si_dns_cache_hit_ratio,
si_dns_rpz_hits,
si_top_clients_per_domain,
si_top_timeout_queries,
si_top_servfail_sent_queries,
si_top_nxdomain_query, and
si_top_servfail_received_queries		Example: default.MS-2016


eventtypeSplunk Default field



hostSplunk Default field



indexSplunk Default field



info_max_timeCommon summary index fields



info_min_timeCommon summary index fields



info_search_timeCommon summary index fields



linecountSplunk Default field



orig_hostSpecifies the host name of the data source
Example: infoblox.com
Splunk added default field
psrsvd_ct_COUNTHere, ct = count. It contains the count information for the COUNT field.si_dns_query_reply and si_dns_qps_trend

Splunk added special field
psrsvd_ct_LATENCYContains the count information for the LATENCY fieldsi_dns_response_latency_trend

Splunk added special field
psrsvd_ct_QCOUNTContains the count information for the QCOUNT field

si_dns_member_qps_trend_per_hour,
si_dns_member_qps_trend_per_day,
and si_dns_member_qps_trend



Splunk added special field
psrsvd_gcHere, gc = group count. It indicates the count for stats grouping and it is not scoped to a single field.

si_dns_query_reply,
si_dns_response_latency_trend,
si_dns_member_qps_trend_per_hour,
si_dns_member_qps_trend_per_day,
si_dns_member_qps_trend, and
si_dns_qps_trend



Splunk added special field
psrsvd_nc_COUNTHere, nc = numerical count. It indicates the number of numerical values and contains the numerical count information for the COUNT field.si_dns_query_reply and
si_dns_qps_trend

Splunk added special field
psrsvd_nc_LATENCYContains the numerical count information for the LATENCY fieldsi_dns_response_latency_trend

Splunk added special field
psrsvd_nc_QCOUNTContains the numerical count information for the QCOUNT field

si_dns_member_qps_trend_per_hour,
si_dns_member_qps_trend_per_day,
and si_dns_member_qps_trend



Splunk added special field
psrsvd_nx_QCOUNTHere, nx = maximum numerical value. It contains the maximum numerical value information for the QCOUNT field.

si_dns_member_qps_trend_per_hour and
si_dns_member_qps_trend_per_day



Splunk added special field
psrsvd_sm_COUNTHere, sm = sum. It contains the sum information for the COUNT field.

si_dns_query_reply and
si_dns_qps_trend



Splunk added special field
psrsvd_sm_LATENCYContains the sum information for the LATENCY field.si_dns_response_latency_trend

Splunk added special field
psrsvd_sm_QCOUNTContains the sum information for the QCOUNT field

si_dns_member_qps_trend_per_hour,
si_dns_member_qps_trend_per_day,
and si_dns_member_qps_trend



Splunk added special field
psrsvd_sx_QCOUNTHere, sx = maximum lexicographical value.
It contains the maximum lexicographical value information for the QCOUNT field

si_dns_member_qps_trend_per_hour
and si_dns_member_qps_trend_per_day



Splunk added special field
psrsvd_vHere, v = version. This is not scoped to a single field.

si_dns_query_reply,
si_dns_response_latency_trend,
si_dns_member_qps_trend_per_hour,
si_dns_member_qps_trend_per_day,
si_dns_member_qps_trend, and
si_dns_qps_trend



Splunk added special field
psrsvd_vt_COUNTHere, vt = value type. It contains precision of the associated field.
This field contains precision of the COUNT field.		si_dns_query_reply and
si_dns_qps_trend

Splunk added special field
psrsvd_vt_LATENCYContains precision of the LATENCY fieldsi_dns_response_latency_trend

Splunk added special field
psrsvd_vt_QCOUNTContains precision of the QCOUNT field

si_dns_member_qps_trend_per_hour,
si_dns_member_qps_trend_per_day,
and si_dns_member_qps_trend



Splunk added special field
reportContains the name of the report that populates the summary index




DNS Scavenge Object Count Trend datasi_dns_reclaimed_object_count_trend



DNS Top Clients report datasi_dns_top_clients



DNS Replies Trend datasi_dns_query_reply



DNS Top SERVFAIL Errors Received Report datasi_top_servfail_received_queries



DNS Response Latency Trend datasi_dns_response_latency_trend



DNS Daily Peak Hour Query Rate by Member Report datasi_dns_member_qps_trend_per_hour



DNS Top NXDOMAIN / NOERROR (no data) Report datasi_top_nxdomain_query



DNS Daily Query Rate by Member Report datasi_dns_member_qps_trend_per_day



DNS Query Rate by Member Report datasi_dns_member_qps_trend



DNS Top Requested Domain Names Report datasi_dns_requested_domain



DNS Queries Per Second Trend datasi_dns_qps_trend



DNS Top SERVFAIL Errors Sent Report datasi_top_servfail_sent_queries



DDNS Update Rate Trend datasi_ddns_update



DNS Cache Hit Rate Trend datasi_dns_cache_hit_ratio



DNS Top Timed-Out Recursive Queries Report datasi_top_timeout_queries



DNS RPZ Hits Reports datasi_dns_rpz_hits



DNS Top Clients per Domain Report datasi_top_clients_per_domain


search_nameCommon summary index fields



search_nowCommon summary index fields



sourceSplunk Default field



sourcetypeSplunk Default field



splunk_serverSplunk Default field



splunk_server_groupSplunk Default field



timeendposCommon extracted fields



timestartposCommon extracted fields



...