Introduction
Splunk default fields
Splunk server adds the following default fields to each event in every index.
Field Name | Description | Values/Range | ||||||||
| Indicates the hour when an event occurred. To narrow your search for specific event timestamps, you can use the default datetime fields. Click here for more information on datetime fields. | Range: 0-23 | ||||||||
| Indicates the day of the month when the event occurred | Range: 1-31 | ||||||||
| Indicates the exact minute when the event occurred | Range: 0-59 | ||||||||
| Indicates the month during which an event occurred | |||||||||
| Indicates the second in which an event occurred | Range: 0-59 | ||||||||
| Indicates the day of the week in which an event occurred | Example: Sunday, Monday, etc. | ||||||||
| Indicates the year in which an event occurred | |||||||||
| Indicates the time for the local timezone of an event, expressed as hours in Unix Time | |||||||||
| Indicates events of the same type based on a given search. Click here for more information | Example: splunkd-log | ||||||||
| Contains information about the originating hostname or a network IP address that generates the event | Example: reporting-1.com | ||||||||
| Contains the name of the index with which a given event is indexed | Example: ib_dns_summary | ||||||||
| Contains information about the number of lines in an event before it is indexed | Example: 1 | ||||||||
| Contains information about the pattern of the first thirty punctuation characters in the first line of the event with which it is associated. It shows how an event looks when all letters, numbers, and spaces are removed and contains characters such as periods, colons, parentheses, quotes, question marks, dashes, and underscores. Click here for more information. |
| ||||||||
| Contains the name of the file, stream, or other input details from which the event originates | Example: si-search-dns-query-reply | ||||||||
| Specifies the format of data input from which the event originates | Stash | ||||||||
| Contains the name of the Splunk server that comprises the event | Example: reporting-2.com-2-slave | ||||||||
| Contains the name of the Splunk server group | String |
| Anchor | ||||
|---|---|---|---|---|
|
Field Name | Description | Values/Range | Source of Data | ||||||
| Specifies the extensible attribute | String | '__grouping_by_ea_tag_lookup' lookup from /storage/splunk/etc/apps/infoblox/lookups/grouping_by_ea_tag_map.csv with 'host' value as input OR'pool_ea_lookup_csv' lookup from /storage/splunk/etc/apps/infoblox/lookups/idns_pools.csv with 'pool' value as inputOR'resource_pool_ea_lookup_csv' lookup from /storage/splunk/etc/apps/infoblox/lookups/idns_resources.csv with 'RESOURCE' value as inputOR'network_ea_lookup_csv' lookup from /storage/splunk/etc/apps/infoblox/lookups/network.csv with 'NETWORK' value as input | ||||||
| Specifies the hardware type | Example: IB-4030 | nios_member_hw_lookup' lookup from /storage/splunk/etc/apps/infoblox/lookups/nios_member_hw.csv with 'host' value as input. | ||||||
| Specifies the maximum objects in the database for a host | 'nios_member_hw_lookup' lookup from /storage/splunk/etc/ap. Example: 8000000. | |||||||
| Specifies the maximum number of DHCP leases per second for a host | Example: 15.0 | 'nios_member_hw_lookup' lookup from /storage/splunk/etc/apps/infoblox/lookups/nios_member_hw.csv with 'host' value as input. | ||||||
| Specifies the maximum DNS queries per second for a host | Example: 1000000.0 | 'nios_member_hw_lookup' lookup from /storage/splunk/etc/apps/infoblox/lookups/nios_member_hw.csv with 'host' value as input. | ||||||
| Specifies the IP address of the member | IP address | 'nios_member_ip_lookup' lookup from /storage/splunk/etc/apps/infoblox/lookups/nios_member_ip.csv with 'host' value as input | ||||||
| Specifies the byte at which the timestamp ends. These values are based on the TIME_FORMAT that is specified for a sourcetype under props.conf. | Example: 26 | |||||||
| Specifies the byte at which the timestamp starts | Example: 0 |
...
Infoblox Discovered Devices related dashboards/reports
| Extracted Field Name | Description of the field | Values/Range | Source of Data |
| ADM_DN_OP_DN_COUNT | Admin-Down/Operation-DownPort Count | Integer | Infoblox discovered devices related |
| ADM_UP_OP_DN_COUNT | Admin-Up/Operation-UpPort Count | Integer | Infoblox discovered devices related |
| ADM_UP_OP_UP_COUNT | Admin-Up/Operation-DownPort Count | Integer | Infoblox discovered devices related |
| COMPONENT_NAME | Specifies the component name | String. Example: DELL-PC8024F | Infoblox discovered devices related |
| COMPONENT_TYPE | Specifies the component type | String. Example: Switch-Router | Infoblox discovered devices related |
| COMPONENT_PORT | Specifies the component port | String. Example: Gi1/0/24 | Infoblox discovered devices related |
| DEVICE_MGMT_IP | Specifies the device management IP address | IP address | Infoblox discovered devices related |
| DEVICE_MODEL | Specifies the device model | String. Example: EX2200 | Infoblox discovered devices related |
| DEVICE_NAME | Specifies the device name | String. Example: Cisco_434f44 | Infoblox discovered devices related |
| DEVICE_TYPE | Specifies the device type | String. Example: Switch, Router | Infoblox discovered devices related |
| DEVICE_VENDOR | Specifies the device vendor | String. Example: Avaya | Infoblox discovered devices related |
| DISCOVERED_MAC_DUID | Specifies the discovered MAC DUID | MAC address | Infoblox discovered devices related |
DISCOVERED_NAME | Specifies the discoverd name | Example: dev_view1.yahoo.com | Infoblox discovered devices related |
| EA | Common Extracted fields | ||
| HWTYPE | Common Extracted fields | ||
| IN_USE_FLAG | In use flag | Integer. Example: 1 | Infoblox discovered devices related |
| IPADDR | Specifies the IP address | IP Address. Example: 11.11.11.11 | Infoblox discovered devices related |
| IPADDR_MASK | Specifies the IP address mask | Integer. Example: 128 | Infoblox discovered devices related |
| MAC_DUID | Specifies the MAC address | MAC address | Infoblox discovered devices related |
| MAX_DB_OBJECTS | Common Extracted fields | ||
| MAX_DHCP_LPS | Common Extracted fields | ||
| MAX_DNS_QPS | Common Extracted fields | ||
| MEMBER_IP | Common Extracted fields | ||
| NETWORK_VIEW | Specifies the network view | String. Example: default | Infoblox discovered devices related |
| NON_NULL_NAME | Specifies the non-null name | String. Example: DELL-PC8024F | Evaluated from the COMPONENT_NAME field |
| NON_NULL_PORT | Specifies the non-null port | String. Example: Gi1/0/24 | Evaluated from COMPONENT_PORT field |
| TIMESTAMP | Specifies the timestamp | Timestamp. Example: 2017-02-15 15:56:27 | Infoblox discovered devices related |
TIMESTAMP_USER_HOST_ PROCESS_PID_INFO_PREFIX | Specifies the timestamp userhost process pid info prefix | String. Example: 2017-02-15T11:02:53+00:00 user infoblox.localdomain <ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="e5d51f7e-f354-4235-870a-9e02f49b3d41"><ac:plain-text-body><![CDATA[python[]: info ipaddr-activity-rpt | Infoblox discovered devices related |
| TOTAL_AVAIL_COUNT | Specifies the total available count | Integer | Infoblox discovered devices related |
| Type | Specifies the type | String. Example: Discovery | 'ipaddr_mask_lookup' lookup from /storage/splunk/etc/apps/infoblox |
value as input | |||
| ap_bss_mac | Access Point BSS MAC | MAC address | Infoblox discovered devices related dashboards/reports |
| ap_ip_dotted | Access Point IP dotted | String | Infoblox discovered devices related dashboards/reports |
| ap_mac | Access Point MAC | MAC address | Infoblox discovered devices related dashboards/reports |
| ap_name | Access Point name | String | Infoblox discovered devices related dashboards/reports |
| ap_associated_ssid | Access Point associated SSID | String | Infoblox discovered devices related dashboards/reports |
| asset_type | Specifies the asset type | String. Example: Physical Device | Infoblox discovered devices related dashboards/reports |
| class | Specifies the class name | String. Example: port | Infoblox discovered devices related dashboards/reports |
| component_name | Specifies the component name | String. Example: GigabitEthernet1/0/1 | Infoblox discovered devices related dashboards/reports |
| date_hour | Splunk Default field | ||
| date_mday | Splunk Default field | ||
| date_minute | Splunk Default field | ||
| date_month | Splunk Default field | ||
| date_second | Splunk Default field | ||
| date_wday | Splunk Default field | ||
| date_year | Splunk Default field | ||
| date_zone | Splunk Default field | ||
| Description | Specifies the description | String. Example: Gigabit Ethernet Port | Infoblox discovered devices related dashboards/reports |
| device_id | Specifies the device ID | Integer | Infoblox discovered devices related dashboards/reports |
| device_ip_address | Specifies the device IP address | IP address | Infoblox discovered devices related dashboards/reports |
| device_model | Specifies the device model | String. Example: catalyst37xxStack | Infoblox discovered devices related dashboards/reports |
| device_name | Specifies the device name | String. Example:DELL-PC8024F | Infoblox discovered devices related dashboards/reports |
| device_os_version | Specifies the device OS version | String. Example: 4.14.6M | Infoblox discovered devices related dashboards/reports |
| device_type | Specifies the device type | String. Example: Switch | Infoblox discovered devices related dashboards/reports |
| device_vendor | Specifies the device vendor | String. Example: Cisco | Infoblox discovered devices related dashboards/reports |
| device_version | Specifies the device version | String. Example: 5.1.2.3 | Infoblox discovered devices related dashboards/reports |
| display_name | Specifies the DNS view | String | Infoblox discovered devices related dashboards/reports |
| end_host_addl_info | Specifies additional information about the end host | String | Infoblox discovered devices related dashboards/reports |
| end_host_device_model | Specifies the device model of the end host | String. Example: catalyst37xxStack | Infoblox discovered devices related dashboards/reports |
| end_host_device_type | Specifies the device type of the end host | String. Example: Switch-Router | Infoblox discovered devices related dashboards/reports |
| end_host_device_vendor | Specifies the device vendor of the end host | String. Example: Cisco | Infoblox discovered devices related dashboards/reports |
| end_host_first_discovered | Specifies the first occasion when the end host was first discovered | Integer | Infoblox discovered devices related dashboards/reports |
| end_host_ip_address | Specifies the IP address of the end host | IP address | Infoblox discovered devices related dashboards/reports |
| end_host_last_discovered | Indicates when was end host last discovered | Integer | Infoblox discovered devices related dashboards/reports |
| end_host_mac_address | Specifies the MAC address of the end host | MAC address | Infoblox discovered devices related dashboards/reports |
| end_host_name | Specifies the name of the end host | String. Example: WS-C3750X-24P | Infoblox discovered devices related dashboards/reports |
| end_host_network_view | Specifies the network view of the end host | String. Example: custom view | Infoblox discovered devices related dashboards/reports |
| end_host_os_version | Specifies the version of the end host OS | String. Example: 15.2(1)E2 | Infoblox discovered devices related dashboards/reports |
| eventtype | Splunk Default field | ||
| firmware_rev | Indicates firmware revision | String. Example: 15.2(1)E2 | Infoblox discovered devices related dashboards/reports |
| first_seen | First seen timestamp | Integer | Infoblox discovered devices related dashboards/reports |
| hardware_rev | Specifies revision of the hardware | String. Example: V05 | Infoblox discovered devices related dashboards/reports |
| host | Splunk Default field | ||
| index | Splunk Default field | ||
| interface_admin_status | Specifies the interface admin status | String. Example: up | Infoblox discovered devices related dashboards/reports |
| interface_description | Specifies the interface interface description | String | Infoblox discovered devices related dashboards/reports |
| interface_ip_address | Specifies the interface IP address | IP address | Infoblox discovered devices related dashboards/reports |
| interface_name | Specifies the interface name | String. Example: Fa0 | Infoblox discovered devices related dashboards/reports |
| interface_port_status | Specifies the interface port status | String. Example: up | Infoblox discovered devices related dashboards/reports |
| interface_speed | Specifies the interface speed | Integer. Example: 1000000000 | Infoblox discovered devices related dashboards/reports |
| interface_type | Specifies the interface type | String. Example: tunnel | Infoblox discovered devices related dashboards/reports |
| interface_vlan | Specifies the interface VLAN ID | Integer Example: 16 | Infoblox discovered devices related dashboards/reports |
| interface_vlan_name | Specifies the interface VLAN name | String. Example: VLAN1014 | Infoblox discovered devices related dashboards/reports |
| ip_address | Specifies the IP address | IP address | Infoblox discovered devices related dashboards/reports |
| is_trunk_port | Specifies if it is a trunk port or not | Boolean | Infoblox discovered devices related dashboards/reports |
| last_seen | Specifies the last seen timestamp | Integer | Infoblox discovered devices related dashboards/reports |
| linecount | Splunk Default field | ||
| model | Specifies the model name | String. Example: DCS-7048T-A | Infoblox discovered devices related dashboards/reports |
| network_view | Specifies the network view | String. Example: custom view | Infoblox discovered devices related dashboards/reports |
| port_last_changed_at | The timestamp when the port was last changed | Timestamp | Infoblox discovered devices related dashboards/reports |
| punct | Splunk Default field | ||
| serial_number | Specifies the serial number | String. Example: JPE12440180 | Infoblox discovered devices related dashboards/reports |
| software_rev | Specifies the software revision | String. Example: 15.2(1)E2 | Infoblox discovered devices related dashboards/reports |
| source | Splunk Default field | ||
| sourcetype | Splunk Default field | ||
| splunk_server | Splunk Default field | ||
| splunk_server_group | Splunk Default field | ||
| switch_interface | Specifies the switch interface | String. Example: Gi0/47 | Infoblox discovered devices related dashboards/reports |
| switch_ip_address | Specifies the switch IP Address | IP Address | Infoblox discovered devices related dashboards/reports |
| switch_model | Indicates the switch model | String. Example: cat3560x48 | Infoblox discovered devices related dashboards/reports |
| switch_name | Specifies the switch name | String. Example: ni-mri-sw4.inca.infoblox.com | Infoblox discovered devices related dashboards/reports |
| switch_os_version | Specifies the OS version of the switch | String. Example: 12.2(53)SE2 | Infoblox discovered devices related dashboards/reports |
| switch_type | Specifies the switch type | String. Example: Switch | Infoblox discovered devices related dashboards/reports |
| switch_vendor | Specifies the vendor of the switch | String. Example: Cisco | Infoblox discovered devices related dashboards/reports |
| switch_vlan | Specifies the switch VLAN | Integer. Example: 18 | Infoblox discovered devices related dashboards/reports |
| timeendpos | Common extracted fields | ||
| timestamp | Indicates the timestamp | Integer | Infoblox discovered devices related dashboards/reports |
| timestamp_user_host_process_pid_info_prefix | Specifies the prefix | String | Infoblox discovered devices related dashboards/reports |
| timestartpos | Common extracted fields | ||
| user_id | Specifies the User ID | Infoblox discovered devices related dashboards/reports | |
| View | Specifies the DNS view | String | Infoblox discovered devices related dashboards/reports |
| virtual_ind | Specifies the virtual indicator | Integer |
Infoblox Threat Protection related dashboards/reports
...
| Extracted Field Name | Description of the field | Reports | Values/Range | Source of Data | Remarks |
| CLIENT | Specifies the IP address of the DNS client | Example: 10.39.18.60 | |||
| COUNT | Specifies the count of DNS queries | si_dns_top_clients | Integer | ||
| Specifies the count of SERVFAIL errors that are received for DNS clients | si_top_servfail_received_queries | Integer | |||
| Specifies the count of NXDOMAIN/NOERROR replies for DNS clients | si_top_nxdomain_query | Integer | |||
| Specifies the count of DNS domain name requests | si_dns_requested_domain | Integer | |||
| Specifies the count of DNS queries per second | si_dns_qps_trend | Integer | |||
| Specifies the count of DNS SERVFAIL errors that are sent for DNS queries | si_top_servfail_sent_queries | Integer | |||
| Specifies the count of DNS timed-out recursive queries | si_top_timeout_queries | Integer | |||
| Specifies the average count of DNS RPX hits | si_dns_rpz_hits | Integer | |||
| Specifies the count of DNS clients per domain | si_top_clients_per_domain | Integer | |||
| EA | Common Extracted fields | ||||
| FQDN | Specifies the fully qualified domain name | si_dns_requested_domain, si_top_clients_per_domain | Example: 213.31.102.10.in-addr.arpa | ||
| HWTYPE | Common Extracted fields | ||||
| MAX_DB_OBJECTS | Common Extracted fields | ||||
| MAX_DHCP_LPS | Common Extracted fields | ||||
| MAX_DNS_QPS | Common Extracted fields | ||||
| MEMBER | Specifies the member | String | Infoblox DNS Summary | ||
| MEMBER_IP | Common Extracted fields | ||||
| TLD | Specifies top level domain names | si_dns_requested_domain | Example: arpa | ||
| TYPE | Specifies the DNS response type | si_dns_query_reply, si_dns_qps_trend, si_ddns_update | SUCCESS/NOERROR or REFERRAL or NXRRSET or NXDOMAIN or REFUSED or OTHER | ||
| VIEW | It refers to the DNS view key to map DNS view through lookup. See display_name field. | si_dns_requested_domain, si_dns_top_clients, si_dns_member_qps_trend_per_hour, si_dns_member_qps_trend_per_day, si_dns_member_qps_trend, si_dns_qps_trend, si_ddns_update, si_dns_cache_hit_ratio, si_dns_rpz_hits, si_top_clients_per_domain, si_top_timeout_queries, si_top_servfail_sent_queries, si_top_nxdomain_query, si_top_servfail_received_queries | Example: _default | ||
| date_hour | Splunk Default field | ||||
| date_mday | Splunk Default field | ||||
| date_minute | Splunk Default field | ||||
| date_month | Splunk Default field | ||||
| date_second | Splunk Default field | ||||
| date_wday | Splunk Default field | ||||
| date_year | Splunk Default field | ||||
| date_zone | Splunk Default field | ||||
| display_name | Specifies the DNS view | si_dns_requested_domain, si_dns_top_clients, si_dns_member_qps_trend_per_hour, si_dns_member_qps_trend_per_day, si_dns_member_qps_trend, si_dns_qps_trend, si_ddns_update, si_dns_cache_hit_ratio, si_dns_rpz_hits, si_top_clients_per_domain, si_top_timeout_queries, si_top_servfail_sent_queries, si_top_nxdomain_query, si_top_servfail_received_queries | Example: default.MS-2016 | Lookup from dns_viewkey_displayname.csv using the VIEW field value. | |
| eventtype | Splunk Default field | ||||
| host | Splunk Default field | ||||
| index | Splunk Default field | ||||
| info_max_time | Common summary index fields | ||||
| info_min_time | Common summary index fields | ||||
| info_search_time | Common summary index fields | ||||
| linecount | Splunk Default field | ||||
| orig_host | Specifies the host name of the data source | Example: infoblox.com | Splunk added default field | ||
| psrsvd_ct_COUNT | Here, ct = count. Contains the count information for the COUNT field. | si_dns_query_reply,si_dns_qps_trend | Splunk added special field | ||
| psrsvd_ct_LATENCY | Contains the count information for the LATENCY field | si_dns_response_latency_trend | Splunk added special field | ||
| psrsvd_ct_QCOUNT | Contains the count information for the QCOUNT field | si_dns_member_qps_trend_per_hour, si_dns_member_qps_trend_per_day, si_dns_member_qps_trend | Splunk added special field | ||
| psrsvd_gc | Here, gc = group count. It indicates the count for stats "grouping" and it is not scoped to a single field. | si_dns_query_reply, si_dns_response_latency_trend, si_dns_member_qps_trend_per_hour, si_dns_member_qps_trend_per_day, si_dns_member_qps_trend, si_dns_qps_trend | Splunk added special field | ||
| psrsvd_nc_COUNT | Here, nc = numerical count. It indicates the number of numerical values and contains the numerical count information for the COUNT field. | si_dns_query_reply, si_dns_qps_trend | Splunk added special field | ||
| psrsvd_nc_LATENCY | Contains the numerical count information for the LATENCY field | si_dns_response_latency_trend | Splunk added special field | ||
| psrsvd_nc_QCOUNT | Contains the numerical count information for the QCOUNT field | si_dns_member_qps_trend_per_hour, si_dns_member_qps_trend_per_day, si_dns_member_qps_trend | Splunk added special field | ||
| psrsvd_nx_QCOUNT | Here, nx = maximum numerical value. Contains the maximum numerical value information for the QCOUNT field. | si_dns_member_qps_trend_per_hour, si_dns_member_qps_trend_per_day | Splunk added special field | ||
| psrsvd_sm_COUNT | Here, sm = sum. Contains the sum information for the COUNT field. | si_dns_query_reply, si_dns_qps_trend | Splunk added special field | ||
| psrsvd_sm_LATENCY | Contains the sum information for the LATENCY field. | si_dns_response_latency_trend | Splunk added special field | ||
| psrsvd_sm_QCOUNT | Contains the sum information for the QCOUNT field | si_dns_member_qps_trend_per_hour, si_dns_member_qps_trend_per_day, si_dns_member_qps_trend | Splunk added special field | ||
| psrsvd_sx_QCOUNT | Here, sx = maximum lexicographical value. Contains the maximum lexicographical value information for the QCOUNT field | si_dns_member_qps_trend_per_hour, si_dns_member_qps_trend_per_day | Splunk added special field | ||
| psrsvd_v | Here, v = versio. This is not scoped to a single field. | si_dns_query_reply, si_dns_response_latency_trend, si_dns_member_qps_trend_per_hour, si_dns_member_qps_trend_per_day, si_dns_member_qps_trend, si_dns_qps_trend | Splunk added special field | ||
| psrsvd_vt_COUNT | Here, vt = value type. Contains precision of the associated field. This field contains precision of the COUNT field. | si_dns_query_reply, si_dns_qps_trend | Splunk added special field | ||
| psrsvd_vt_LATENCY | Contains precision of the LATENCY field | si_dns_response_latency_trend | Splunk added special field | ||
| psrsvd_vt_QCOUNT | Contains precision of the QCOUNT field | si_dns_member_qps_trend_per_hour, si_dns_member_qps_trend_per_day, si_dns_member_qps_trend | Splunk added special field | ||
| report | Contains the name of the report that populates the summary index | ||||
| DNS Scavenge Object Count Trend data | si_dns_reclaimed_object_count_trend | ||||
| DNS Top Clients report data | si_dns_top_clients | ||||
| DNS Replies Trend data | si_dns_query_reply | ||||
| DNS Top SERVFAIL Errors Received Report data | si_top_servfail_received_queries | ||||
| DNS Response Latency Trend data | si_dns_response_latency_trend | ||||
| DNS Daily Peak Hour Query Rate by Member Report data | si_dns_member_qps_trend_per_hour | ||||
| DNS Top NXDOMAIN / NOERROR (no data) Report data | si_top_nxdomain_query | ||||
| DNS Daily Query Rate by Member Report data | si_dns_member_qps_trend_per_day | ||||
| DNS Query Rate by Member Report data | si_dns_member_qps_trend | ||||
| DNS Top Requested Domain Names Report data | si_dns_requested_domain | ||||
| DNS Queries Per Second Trend data | si_dns_qps_trend | ||||
| DNS Top SERVFAIL Errors Sent Report data | si_top_servfail_sent_queries | ||||
| DDNS Update Rate Trend data | si_ddns_update | ||||
| DNS Cache Hit Rate Trend data | si_dns_cache_hit_ratio | ||||
| DNS Top Timed-Out Recursive Queries Report data | si_top_timeout_queries | ||||
| DNS RPZ Hits Reports data | si_dns_rpz_hits | ||||
| DNS Top Clients per Domain Report data | si_top_clients_per_domain | ||||
| search_name | Common summary index fields | ||||
| search_now | Common summary index fields | ||||
| source | Splunk Default field | ||||
| sourcetype | Splunk Default field | ||||
| splunk_server | Splunk Default field | ||||
| splunk_server_group | Splunk Default field | ||||
| timeendpos | Common extracted fields | ||||
| timestartpos | Common extracted fields |
...