Versions Compared

Old Version 17

changes.mady.by.user Poojary Dimple

Saved on

compared with

New Version 18

changes.mady.by.user Poojary Dimple

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Introduction

Splunk default fields

Splunk server adds the following default fields to each event in every index.

Field Name

Description

Values/Range

Anchor
date_hour
date_hour
date_hour

Indicates the hour when an event occurred. To narrow your search for specific event timestamps, you can use the default datetime fields. Click here for more information on datetime fields.

Range: 0-23

Anchor
date_mday
date_mday
date_mday

Indicates the day of the month when the event occurred

Range: 1-31

Anchor
date_minute
date_minute
date_minute

Indicates the exact minute when the event occurred

Range: 0-59

Anchor
date_month
date_month
date_month

Indicates the month during which an event occurred


Anchor
date_second
date_second
date_second

Indicates the second in which an event occurred

Range: 0-59

Anchor
date_wday
date_wday
date_wday

Indicates the day of the week in which an event occurred

Example: Sunday, Monday, etc.

Anchor
date_year
date_year
date_year

Indicates the year in which an event occurred


Anchor
date_zone
date_zone
date_zone

Indicates the time for the local timezone of an event, expressed as hours in Unix Time


Anchor
eventtype
eventtype
eventtype

Indicates events of the same type based on a given search. Click here for more information

Example: splunkd-log

Anchor
host
host
host

Contains information about the originating hostname or a network IP address that generates the event

Example: reporting-1.com

Anchor
index
index
index

Contains the name of the index with which a given event is indexed

Example: ib_dns_summary

Anchor
linecount
linecount
linecount

Contains information about the number of lines in an event before it is indexed

Example: 1

Anchor
punct
punct
punct

Contains information about the pattern of the first thirty punctuation characters in the first line of the event with which it is associated. It shows how an event looks when all letters, numbers, and spaces are removed and contains characters such as periods, colons, parentheses, quotes, question marks, dashes, and underscores. Click here for more information.

Wiki Markup
Example: -_::._\[\]:___.../_=

Anchor
source
source
source

Contains the name of the file, stream, or other input details from which the event originates

Example: si-search-dns-query-reply

Anchor
sourcetype
sourcetype
sourcetype

Specifies the format of data input from which the event originates

Stash

Anchor
splunk_server
splunk_server
splunk_server

Contains the name of the Splunk server that comprises the event

Example: reporting-2.com-2-slave

Anchor
splunk_server_group
splunk_server_group
splunk_server_group

Contains the name of the Splunk server group

String


Anchor
_Commonly_extracted_fields
_Commonly_extracted_fields
Commonly extracted fields


Field Name

Description

Values/Range

Source of Data

Anchor
EA
EA
EA

Specifies the extensible attribute

String

__grouping_by_ea_tag_lookup lookup
from /storage/splunk/etc/apps/infoblox
/lookups/grouping_by_ea_tag_map.csv with
host value as input
OR
pool_ea_lookup_csv lookup from
/storage/splunk/etc/apps/infoblox/
lookups/idns_pools.csv with pool value
as input
OR
resource_pool_ea_lookup_csv lookup
from /storage/splunk/etc/apps/infoblox
/lookups/idns_resources.csv with
RESOURCE value as input
OR
network_ea_lookup_csv lookup
from /storage/splunk/etc/apps
/infoblox/lookups/network.csv
with NETWORK value as input

Anchor
HWTYPE
HWTYPE
HWTYPE

Specifies the hardware type

Example: IB-4030

nios_member_hw_lookup lookup from
/storage/splunk/etc/apps/infoblox/
lookups/nios_member_hw.csv with
host value as input

Anchor
MAX_DB_OBJECTS
MAX_DB_OBJECTS
MAX_DB_OBJECTS

Specifies the maximum objects in the database for a host

eg: 8000000nios_member_hw_lookup lookup from
/storage/splunk/etc/apps/infoblox/
lookups/nios_member_hw.csv with
host value as input

Anchor
MAX_DHCP_LPS
MAX_DHCP_LPS
MAX_DHCP_LPS

Specifies the maximum number of DHCP leases per second for a host

Example: 15.0

nios_member_hw_lookup lookup from
/storage/splunk/etc/apps/infoblox/
lookups/nios_member_hw.csv with
host value as input

Anchor
MAX_DNS_QPS
MAX_DNS_QPS
MAX_DNS_QPS

Specifies the maximum DNS queries per second for a host

Example: 1000000.0

nios_member_hw_lookup lookup from
/storage/splunk/etc/apps/infoblox/
lookups/nios_member_hw.csv with
host value as input

Anchor
Member_IP
Member_IP
MEMBER_IP

Specifies the IP address of the member

IP address

nios_member_hw_lookup lookup from
/storage/splunk/etc/apps/infoblox/
lookups/nios_member_ip.csv with
host value as input

Anchor
timeendpos
timeendpos
timeendpos

Specifies the byte at which the timestamp ends. These values are based on the TIME_FORMAT that is specified for a sourcetype under props.conf.

Example: 26


Anchor
timestartpos
timestartpos
timestartpos

Specifies the byte at which the timestamp starts

Example: 0


...

Extracted Field NameDescription of the fieldValues/RangeSource of Data
CLIENTIndicates the DNS clientStringInfoblox DNS query

Anchor
COUNT
COUNT
COUNT

Indicates the countInteger

Infoblox DNS query and DNS Record Scavenging

EACommon Extracted fields

FQDNIndicates the FQDNStringInfoblox DNS query
HITSIndicates the DNS cache hits countIntegerInfoblox DNS query
HNAMEIndicates the HNAMEStringInfoblox DNS query
HWTYPECommon Extracted fields

Anchor
LATENCY
LATENCY
LATENCY

Indicates the latency countIntegerInfoblox DNS performance
MAX_DB_OBJECTSCommon Extracted fields

MAX_DHCP_LPSCommon Extracted fields

MAX_DNS_QPSCommon Extracted fields

MEMBERSpecifies the memberStringDNS Record Scavenging
MEMBER_IPCommon Extracted fields

MISSESSpecifies DNS cache miss countIntegerInfoblox DNS query

Anchor
QCOUNT
QCOUNT
QCOUNT

Specifies query countIntegerInfoblox DNS query
RESTRESTStringInfoblox DDNS
SOURCESOURCEStringInfoblox DDNS
SOURCEASOURCEAIP addressInfoblox DDNS
TLDSpecifies the top-level domain nameStringInfoblox DNS query
TYPERR TypeString. Example: nxdomain

Infoblox DNS query and DNS Record Scavenging

TYPEATYPEAString. Example: SuccessInfoblox DDNS
VIEWIt refers to the DNS view key to map DNS view through lookup. See display_name field.StringInfoblox DNS query
ZONEIndicates the name of the zoneStringInfoblox DDNS
date_hourSplunk Default field

date_mdaySplunk Default field

date_minuteSplunk Default field

date_monthSplunk Default field

date_secondSplunk Default field

date_wdaySplunk Default field

date_yearSplunk Default field

date_zoneSplunk Default field

Anchor
display_name
display_name
display_name
Specifies the name of the DNS viewStringDNS view lookup from dns_viewkey_displayname.csv using View field value.
eventtypeSplunk Default field

failureSpecifies the DNS FAILURE query countInteger
hostSplunk Default field

indexSplunk Default field

linecountSplunk Default field

nxdomainSpecifies the DNS NXDOMAIN query countInteger
nxrrsetSpecifies the DNS NXRRSET query countInteger
otherSpecifies the DNS other query countInteger
punctSplunk Default field

referralSpecifies the DNS REFERRAL query countInteger
sourceSplunk Default field

sourcetypeSplunk Default field

splunk_serverSplunk Default field

splunk_server_groupSplunk Default field

successSpecifies the DNS success query count

timeendposCommon extracted fields

timestartposCommon extracted fields

Infoblox DNS Query Capture

Extracted Field NameDescription of the fieldValues/RangeSource of Data
EACommon Extracted fields

HWTYPECommon Extracted fields

MAX_DB_OBJECTSCommon Extracted fields

MAX_DHCP_LPSCommon Extracted fields

MAX_DNS_QPSCommon Extracted fields

MEMBER_IPCommon Extracted fields

answer_countSpecifies the answer countIntegerInfoblox DNS query capture
date_hourSplunk Default field

date_mdaySplunk Default field

date_minuteSplunk Default field

date_monthSplunk Default field

date_secondSplunk Default field

date_wdaySplunk Default field

date_yearSplunk Default field

date_zoneSplunk Default field

display_nameSpecifies the DNS viewStringDNS View Lookup from dns_viewkey_displayname.csv using View field value.
eventtypeSplunk Default field

flag_aaFlag AABoolean. Example: YInfoblox DNS query capture
flag_adFlag ADBoolean. Example: YInfoblox DNS query capture
flag_ednsFlag EDNSBoolean. Example: YInfoblox DNS query capture
flag_recursionFlag RecursionBoolean. Example: YInfoblox DNS query capture
hostSplunk Default field

host_classSpecifies the host classExample: INInfoblox DNS query capture
host_typeSpecifies the host typeExample: PTRInfoblox DNS query capture
indexSplunk Default field

linecountSplunk Default field

message_typeSpecifies the message typeExample: Query or ResponseInfoblox DNS query capture
nameSpecifies the nameHost name. Example: 1.0.0.127.in-addr.arpaInfoblox DNS query capture
querySpecifies the queryHost name. Example: 213.31.102.10.in-addr.arpaInfoblox DNS query capture
query_classSpecifies the query classExample: INInfoblox DNS query capture
query_countSpecifies the query countInteger. Example: 1Infoblox DNS query capture
query_sourceSpecifies the query sourceExample: I, EInfoblox DNS query capture
query_typeSpecifies the DNS query typeExample: PTRInfoblox DNS query capture
rdataRDATAString. This value depends on the query type.Infoblox DNS query capture
reply_codeSpecifies the reply codeString. Example: ServFail, NoErrorInfoblox DNS query capture
sourceSplunk Default field

sourcetypeSplunk Default field

splunk_serverSplunk Default field

splunk_server_groupSplunk Default field

src_ipSpecifies the source IPIP AddressInfoblox DNS query capture
src_portSpecifies the source portIntegerInfoblox DNS query capture
time_msecSpecifies time in millisecondsIntegerInfoblox DNS query capture
timeendposCommon extracted fields

timestampIndicates the timestampIntegerInfoblox DNS query capture
timestartposCommon Extracted fields

transportSpecifies the mode of transportExample: UDP, TCPInfoblox DNS query capture
ttlSpecifies the TTLInteger. Example: 3600Infoblox DNS query capture
viewSpecifies the viewExample: 1, 2Infoblox DNS query capture

Infoblox DHCP Performance

Extracted Field NameDescription of the fieldValues/RangeSource of Data
EACommon Extracted fields

HWTYPECommon Extracted fields

MAX_DB_OBJECTSCommon Extracted fields

MAX_DHCP_LPSCommon Extracted fields

MAX_DNS_QPSCommon Extracted fields

MEMBER_IPCommon Extracted fields

NETWORKSpecifies the network addressExample: 10.0.0.0/8Evaluated from address and cidr field values
addressSpecifies the DHCP client addressIP addressInfoblox DHCP performance
address_totalSpecifies the total number of addressesIntegerInfoblox DHCP performance
cidrSpecifies the CIDRExample: 24Infoblox DHCP performance
date_hourSplunk Default field

date_mdaySplunk Default field

date_minuteSplunk Default field

date_monthSplunk Default field

date_secondSplunk Default field

date_wdaySplunk Default field

date_yearSplunk Default field

date_zoneSplunk Default field

dhcp_hostsSpecifies the DHCP hosts countIntegerInfoblox DHCP performance
Anchor
dhcp_utilization
dhcp_utilization
dhcp_utilization
Specifies the DHCP utilizationIntegerInfoblox DHCP performance
dhcp_utilization_statusSpecifies the DHCP utilization statusStringInfoblox DHCP performance

Anchor
dhcpv4ack
dhcpv4ack

dhcpv4ack

Specifies the DHCPv4 ACK message countIntegerInfoblox DHCP performance
Anchor
dhcpv4decline
dhcpv4decline
dhcpv4decline
Specifies the DHCPv4 decline message countIntegerInfoblox DHCP performance
Anchor
dhcpv4discover
dhcpv4discover
dhcpv4discover
Specifies the DHCPv4 discover message countIntegerInfoblox DHCP performance
Anchor
dhcpv4inform
dhcpv4inform
dhcpv4inform
Specifies the DHCPv4 inform message countIntegerInfoblox DHCP performance
Anchor
dhcpv4leaseactive
dhcpv4leaseactive
dhcpv4leaseactive
Specifies the DHCPv4 lease active message countIntegerInfoblox DHCP performance
Anchor
dhcpv4leasequery
dhcpv4leasequery
dhcpv4leasequery
Specifies the DHCPv4 lease query message countIntegerInfoblox DHCP performance
Anchor
dhcpv4leaseunassigned
dhcpv4leaseunassigned
dhcpv4leaseunassigned
Specifies the DHCPv4 lease unassigned message countIntegerInfoblox DHCP performance
Anchor
dhcpv4leaseunknown
dhcpv4leaseunknown
dhcpv4leaseunknown
Specifies the DHCPv4 lease unknown message countIntegerInfoblox DHCP performance
Anchor
dhcpv4nak
dhcpv4nak
dhcpv4nak
Specifies the DHCPv4 NAK message countIntegerInfoblox DHCP performance
Anchor
dhcpv4offer
dhcpv4offer
dhcpv4offer
Specifies the DHCPv4 offer message countIntegerInfoblox DHCP performance
Anchor
dhcpv4release
dhcpv4release
dhcpv4release
Specifies the DHCPv4 release message countIntegerInfoblox DHCP performance
Anchor
dhcpv4request
dhcpv4request
dhcpv4request
Specifies the DHCPv4 request message countIntegerInfoblox DHCP performance
Anchor
dhcpv6advertise
dhcpv6advertise
dhcpv6advertise
Specifies the DHCPv6 advertise message countIntegerInfoblox DHCP performance
Anchor
dhcpv6confirm
dhcpv6confirm
dhcpv6confirm
Specifies the DHCPv6 confirm message countIntegerInfoblox DHCP performance
Anchor
dhcpv6decline
dhcpv6decline
dhcpv6decline
Specifies the DHCPv6 decline message countIntegerInfoblox DHCP performance
Anchor
dhcpv6information_request
dhcpv6information_request
dhcpv6information_request
Specifies the DHCPv6 information request message countIntegerInfoblox DHCP performance
Anchor
dhcpv6leasequery
dhcpv6leasequery
dhcpv6leasequery
Specifies the DHCPv6 lease query message countIntegerInfoblox DHCP performance
Anchor
dhcpv6leasequery_reply
dhcpv6leasequery_reply
dhcpv6leasequery_reply
Specifies the DHCPv6 lease query reply message countIntegerInfoblox DHCP performance
Anchor
dhcpv6rebind
dhcpv6rebind
dhcpv6rebind
Specifies the DHCPv6 rebind message countIntegerInfoblox DHCP performance
Anchor
dhcpv6reconfigure
dhcpv6reconfigure
dhcpv6reconfigure
Specifies the DHCPv6 reconfigure message countIntegerInfoblox DHCP performance
Anchor
dhcpv6relay_forward
dhcpv6relay_forward
dhcpv6relay_forward
Specifies the DHCPv6 relay forward message countIntegerInfoblox DHCP performance
Anchor
dhcpv6relay_reply
dhcpv6relay_reply
dhcpv6relay_reply
Specifies the DHCPv6 relay reply message countIntegerInfoblox DHCP performance
Anchor
dhcpv6release
dhcpv6release
dhcpv6release
Specifies the DHCPv6 release message countIntegerInfoblox DHCP performance
Anchor
dhcpv6renew
dhcpv6renew
dhcpv6renew
Specifies the DHCPv6 renew message countIntegerInfoblox DHCP performance
Anchor
dhcpv6reply
dhcpv6reply
dhcpv6reply
Specifies the DHCPv6 reply message countIntegerInfoblox DHCP performance
Anchor
dhcpv6request
dhcpv6request
dhcpv6request
Specifies the DHCPv6 request message countIntegerInfoblox DHCP performance
Anchor
dhcpv6solicit
dhcpv6solicit
dhcpv6solicit
Specifies the DHCPv6 solicit message countIntegerInfoblox DHCP performance
display_nameSpecifies the DNS ViewStringDNS View Lookup from dns_viewkey_displayname.csv using View field value
Anchor
dynamic_hosts
dynamic_hosts
dynamic_hosts
Specifies the dynamic hosts countIntegerInfoblox DHCP performance
end_addressSpecifies the end IP addressIP addressInfoblox DHCP performance
eventtypeSplunk Default field

hostSplunk Default field

indexSplunk Default field

linecountSplunk Default field

membersSpecifies the DHCP memberExample: infoblox.localdomainInfoblox DHCP performance
ms_serversSpecifies the MS serversIP addressInfoblox DHCP performance
protocolSpecifies the DHCP protocolExample: IPV4
punctSplunk Default field

rangesSpecifies the DHCP ranges countIntegerInfoblox DHCP performance
sourceSplunk Default field

sourcetypeSplunk Default field

splunk_serverSplunk Default field

splunk_server_groupSplunk Default field

start_addressSpecifies the start IP addressIP addressInfoblox DHCP performance
Anchor
static_hosts
static_hosts
static_hosts
Specifies the static hosts countIntegerInfoblox DHCP performance
timeendposCommon extracted fields

timestampSpecifies the timestamp of the eventExample: 2017-02-04 03:45:53Infoblox DHCP performance
timestartposCommon extracted fields

View

Specifies the network viewExample: defaultInfoblox DHCP performance

...

Extracted Field NameDescription of the fieldValues/RangeSource of Data
ACTIONSpecifies the actionString. Example: IssuedInfoblox DHCP lease history
CIDRSpecifies the CIDRIntegerInfoblox DHCP lease history
DEVICE_CLASSSpecifies the device classString. Example: Linux

fingerprint_device_class_lookup lookup from
/storage/spluk/etc/apps/infoblox/lookups
/fingerprint_device_class_map.csv
with FP value as input
OR
os_number_fingerprint_lookup lookup from
/storage/splunk/etc/apps/infoblox/lookups
/os_number_fingerprint_device_class_map.csv
with OS_NUMBER value as input

EACommon Extracted fields

END_EPOCHSpecifies the end epoch timeIntegerInfoblox DHCP lease history
FPSpecifies the name of the DHCP fingerprintString. Example: No MatchInfoblox DHCP lease history
FP_CIDRSpecifies the fingerprint CIDRInteger. Example: 8Infoblox DHCP lease history
FP_NWSpecifies the fingerprint networkNetwork address. Example: 10.0.0.0Infoblox DHCP lease history
FP_RANGESpecifies the fingerprint rangeNetwork range. Example: 10.0.0.1-10.0.0.200Infoblox DHCP lease history
FP_VIEWSpecifies the fingerprint viewString. Example: defaultInfoblox DHCP lease history
HWTYPECommon Extracted fields

LEASE_IPSpecifies the lease IP addressIP addressInfoblox DHCP lease history
MAC_DUIDSpecifies the MAC addressMAC addressInfoblox DHCP lease history
MAX_DB_OBJECTSCommon Extracted fields

MAX_DHCP_LPSCommon Extracted fields

MAX_DNS_QPSCommon Extracted fields

MEMBER_IPCommon Extracted fields

MS ServerSpecifies the MS serverIP AddressInfoblox DHCP lease history
NWSpecifies the networkNetwork address. Example: 10.0.0.0Infoblox DHCP lease history
OPTION12HOSTSpecifies the host name that is sent using DHCP Option 12String. Example: Fedora21Infoblox DHCP lease history
OS_NUMBERSpecifies the OS numberIntegerInfoblox DHCP lease history
PROTOSpecifies the protocolString. Example: dhcpdInfoblox DHCP lease history
SFPSFPString. Example: Ubuntu/Debian 5/Knoppix 6Infoblox DHCP fingerprint
START_EPOCHSpecifies the start epoch timeIntegerInfoblox DHCP lease history
VIEWSpecifies the view
Infoblox DHCP lease history
date_hourSplunk Default field

date_mdaySplunk Default field

date_minuteSplunk Default field

date_monthSplunk Default field

date_secondSplunk Default field

date_wdaySplunk Default field

date_yearSplunk Default field

date_zoneSplunk Default field

display_nameSpecifies the DNS viewString

DNS View Lookup from dns_viewkey_displayname.csv using the View field value.

eventtypeSplunk Default field

hostSplunk Default field

indexSplunk Default field

linecountSplunk Default field

punctSplunk Default field

sourceSplunk Default field

sourcetypeSplunk Default field

splunk_serverSplunk Default field

splunk_server_groupSplunk Default field

timeendposCommon extracted fields

timestartposCommon extracted fields

...

Extracted Field
Name		Description of the fieldValues/RangeSource of Data
EACommon Extracted fields

HWTYPECommon Extracted fields

MAX_DB_OBJECTSCommon Extracted fields

MAX_DHCP_LPSCommon Extracted fields

MAX_DNS_QPSCommon Extracted fields

MEMBER_IPCommon Extracted fields

address_allocSpecifies the address allocation countIntegerInfoblox DDI utilization
address_assignableSpecifies the address assignable countIntegerInfoblox DDI utilization
address_assignedSpecifies the address assigned countIntegerInfoblox DDI utilization
address_conflictsSpecifies the address conflicts count
Infoblox DDI utilization
address_reservedSpecifies the address reserved countIntegerInfoblox DDI utilization
address_totalSpecifies the total number of addressesIntegerInfoblox DDI utilization
address_unallocSpecifies the address unallocation countIntegerInfoblox DDI utilization
address_unmanagedSpecifies the address unmanaged countIntegerInfoblox DDI utilization
allocationAllocationIntegerInfoblox DDI utilization
cidrSpecifies the CIDRExample: 24Infoblox DDI utilization
date_hourSplunk Default field

date_mdaySplunk Default field

date_minuteSplunk Default field

date_monthSplunk Default field

date_secondSplunk Default field

date_wdaySplunk Default field

date_yearSplunk Default field

date_zoneSplunk Default field

discovered_nameSpecifies the discovered nameStringInfoblox DDI utilization
display_nameSpecifies the DNS viewStringDNS view lookup from dns_viewkey_displayname.csv using the View field value.
eventtypeSplunk Default field

first_discovered_timestampSpecifies the first discovered timestampTimestampInfoblox DDI utilization
hostSplunk Default field

hostsSpecifies the address hosts countIntegerInfoblox DDI utilization
indexSplunk Default field

ip_addressSpecifies the IP addressIP AddressInfoblox DDI utilization
last_discovered_timestampSpecifies the last discovered timestamptimestampInfoblox DDI utilization
linecountSplunk Default field

managedIndicates if managed or notBooleanInfoblox DDI utilization
management_platformSpecifies the management platformStringInfoblox DDI utilization
membersSpecifies the DHCP membersExample: infoblox.localdomainInfoblox DDI utilization
ms_primarySpecifies the MS primaryStringInfoblox DDI utilization
port_vlan_nameSpecifies the VLAN port nameStringInfoblox DDI utilization
port_vlan_numberSpecifies the VLAN port numberIntegerInfoblox DDI utilization
network_viewSpecifies the network viewStringInfoblox DDI utilization
primaryPrimaryFQDNInfoblox DDI utilization
protocolSpecifies the DHCP protocolExample: IPV4Infoblox DDI utilization
punctSplunk Default field

rr_aSpecifies the resource record A countIntegerInfoblox DDI utilization
rr_aaaaSpecifies the resource record AAAA countIntegerInfoblox DDI utilization
rr_cnameSpecifies the resource record CNAME countIntegerInfoblox DDI utilization
rr_dhcidSpecifies the resource record DHCID countIntegerInfoblox DDI utilization
rr_dnameSpecifies the resource record DNAME countIntegerInfoblox DDI utilization
rr_dnskeySpecifies the resource record DNSKEY countIntegerInfoblox DDI utilization
rr_dsSpecifies the resource record DS countIntegerInfoblox DDI utilization
rr_lbdnSpecifies the resource record LBDN countIntegerInfoblox DDI utilization
rr_mxSpecifies the resource record MX countIntegerInfoblox DDI utilization
rr_naptrSpecifies the resource record NAPTR countIntegerInfoblox DDI utilization
rr_nsSpecifies the resource record NS countIntegerInfoblox DDI utilization
rr_nsecSpecifies the resource record NSEC countIntegerInfoblox DDI utilization
rr_nsec3Specifies the resource record NSEC3 countIntegerInfoblox DDI utilization
rr_nsec3paramSpecifies the resource record NSEC3PARAM countIntegerInfoblox DDI utilization
rr_otherSpecifies the resource record OTHER countIntegerInfoblox DDI utilization
rr_ptrSpecifies the resource record PTR countIntegerInfoblox DDI utilization
rr_rrsigSpecifies the resource record RRSIG countIntegerInfoblox DDI utilization
rr_soaSpecifies the resource record SOA countIntegerInfoblox DDI utilization
rr_srvSpecifies the resource record SRV countIntegerInfoblox DDI utilization
rr_tlsaSpecifies the resource record TLSA countIntegerInfoblox DDI utilization
rr_totalSpecifies the resource record TOTAL countIntegerInfoblox DDI utilization
rr_txtSpecifies the resource record TXT countIntegerInfoblox DDI utilization
signedIndicates whether signed or notBooleanInfoblox DDI utilization
sourceSplunk Default field

sourcetypeSplunk Default field

splunk_serverSplunk Default field

splunk_server_groupSplunk Default field

timeendposCommon extracted fields

TimestampSpecifies the timestamp of the eventExample: 2017-02-04 03:45:53Infoblox DDI utilization
timestartposCommon extracted fields

utilizationSpecifies the address utilization countIntegerInfoblox DDI utilization
viewSpecifies the network viewExample: defaultInfoblox DDI utilization
zone_formatSpecifies the zone formatString. Example: Forward-MappingInfoblox DDI utilization
zone_nameSpecifies the zone nameString. Example: member1.comInfoblox DDI utilization
zones_forwardSpecifies the zone forward countIntegerInfoblox DDI utilization
zones_ipv4Specifies the IPv4 count of the zoneIntegerInfoblox DDI utilization
zones_ipv6Specifies the IPv6 count of the zoneIntegerInfoblox DDI utilization
zones_signedSpecifies the signed count of the zoneIntegerInfoblox DDI utilization

...

Most of the fields in this index are extracted directly from directly from the syslog_filtered.log file. The Some of them are mentioned in the table below lists a selected few indices:

Extracted Field NameDescription of the fieldValues/RangeSource of Data
EACommon Extracted fields

HWTYPECommon Extracted fields

MAX_DB_OBJECTSCommon Extracted fields

MAX_DHCP_LPSCommon Extracted fields

MAX_DNS_QPSCommon Extracted fields

MEMBER_IPCommon Extracted fields

Anchor
available
available
available
Specifies the available countIntegerInfoblox DNS traffic control
date_hourSplunk Default field

date_mdaySplunk Default field

date_minuteSplunk Default field

date_monthSplunk Default field

date_secondSplunk Default field

date_wdaySplunk Default field

date_yearSplunk Default field

date_zoneSplunk Default field

eventtypeSplunk Default field

hostSplunk Default field

indexSplunk Default field

linecountSplunk Default field

monitorSpecifies the DNS Traffic Control SNMP health monitorStringInfoblox DNS traffic control
poolSpecifies the poolStringInfoblox DNS traffic control
punctSplunk Default field

resourceSpecifies the resourceStringInfoblox DNS traffic control
Anchor
response_count
response_count
response_count
Specifies the response countIntegerInfoblox DNS traffic control
sourceSplunk Default field

sourcetypeSplunk Default field

splunk_serverSplunk Default field

splunk_server_groupSplunk Default field

timeendposCommon extracted fields

timestampIndicates the timestamp of the eventExample: 2017-02-04 03:45:53
timestartposCommon extracted fields

Anchor
unavailable
unavailable
unavailable

Specifies the unavailable countIntegerInfoblox DNS traffic control

...

Extracted Field NameDescription of the fieldValues/RangeSource of Data
ACTIONSpecifies the actionString. Example: AllocatedEvaluated based on the action field value
EACommon Extracted fields

HWTYPECommon Extracted fields

MAX_DB_OBJECTSCommon Extracted fields

MAX_DHCP_LPSCommon Extracted fields

MAX_DNS_QPSCommon Extracted fields

MEMBER_IPCommon Extracted fields

TENANT_NAMESpecifies the name of the tenant associated with the VMString

tenant_name_lookup lookup from
/storage/splunk/etc/apps/infoblox
/lookups/tenant_name_lookup.csv
with tenant_id value as input

actionSpecifies the action countIntegerInfoblox cloud related dashboards/reports
addressSpecifies the IP addressIP addressInfoblox cloud related dashboards/reports
address_typeSpecifies the type of addressIntegerInfoblox cloud related dashboards/reports
application_typeSpecifies the application type
Infoblox cloud related dashboards/reports
cidrSpecifies the CIDRExample: 24Infoblox cloud related dashboards/reports
cnamesSpecifies the common nameStringInfoblox cloud related dashboards/reports
date_hourSplunk Default field

date_mdaySplunk Default field

date_minuteSplunk Default field

date_monthSplunk Default field

date_secondSplunk Default field

date_wdaySplunk Default field

date_yearSplunk Default field

date_zoneSplunk Default field

display_nameSpecifies the DNS viewString

DNS view lookup from
dns_viewkey_displayname.csv
using the VIEW field value

elastic_addressSpecifies the elastic IP addressIP addressInfoblox cloud related dashboards/reports
eventtypeSplunk Default field

FqdnSpecifies the FQDNStringInfoblox cloud related dashboards/reports
hostSplunk Default field

indexSplunk Default field

interface_nameSpecifies the interface nameStringInfoblox cloud related dashboards/reports
is_primary_ifcIndicates if primary IFC or notExample: 0 (not primary)Infoblox cloud related dashboards/reports
linecountSplunk Default field

locationSpecifies the location
Infoblox cloud related dashboards/reports
mac_addressSpecifies the MAC addressExample: 00:11:22:33:44:55Infoblox cloud related dashboards/reports
mgmt_platformSpecifies management platformExample: vm132ctestInfoblox cloud related dashboards/reports
networkSpecifies the network addressExample: 10.0.0.0/8Infoblox cloud related dashboards/reports
network_viewSpecifies the network viewExample: defaultInfoblox cloud related dashboards/reports
port_idSpecifies the port IDIntegerInfoblox cloud related dashboards/reports
private_addressSpecifies the private addressIP addressInfoblox cloud related dashboards/reports
private_hostnameSpecifies the private hostnameStringInfoblox cloud related dashboards/reports
public_addressSpecifies the public addressIP addressInfoblox cloud related dashboards/reports
public_hostnameSpecifies the public hostnameStringInfoblox cloud related dashboards/reports
punctSplunk Default field

sourceSplunk Default field

sourcetypeSplunk Default field

splunk_serverSplunk Default field

splunk_server_groupSplunk Default field

tenant_idSpecifies the tenant IDIntegerInfoblox cloud related dashboards/reports
timeendposCommon extracted fields

timestampIndicates the timestamp of the eventExample: 2017-02-04 03:45:53Infoblox cloud related dashboards/reports
timestartposCommon extracted fields

viewSpecifies the DNS viewString
vlan_idSpecifies the VLAN IDIntegerInfoblox cloud related dashboards/reports
vm_hostnameSpecifies the hostname of the VMStringInfoblox cloud related dashboards/reports
vm_nameSpecifies the name of the VMExample: 99Infoblox cloud related dashboards/reports
vm_vpc_addressSpecifies the VPC address of the VMIP addressInfoblox cloud related dashboards/reports
vm_vpc_cidrSpecifies the VPC CIDR of the VMExample: 24Infoblox cloud related dashboards/reports
vm_vpc_idSpecifies the VPC ID of the VMIntegerInfoblox cloud related dashboards/reports
vm_vpc_nameSpecifies the VPC name of the VMIntegerInfoblox cloud related dashboards/reports
vpc_addrSpecifies the VPC addressIP addressInfoblox cloud related dashboards/reports

...

Extracted Field NameDescription of the fieldValues/RangeSource of Data
EACommon Extracted fields

HWTYPECommon Extracted fields

MAX_DB_OBJECTSCommon Extracted fields

MAX_DHCP_LPSCommon Extracted fields

MAX_DNS_QPSCommon Extracted fields

MEMBER_IPCommon Extracted fields

date_hourSplunk Default field

date_mdaySplunk Default field

date_minuteSplunk Default field

date_monthSplunk Default field

date_secondSplunk Default field

date_wdaySplunk Default field

date_yearSplunk Default field

date_zoneSplunk Default field

display_nameSpecifies the DNS viewStringDNS view lookup from dns_viewkey_displayname.csv using the View field value
eventtypeSplunk Default field

hostSplunk Default field

indexSplunk Default field

license_countSpecifies the license countIntegerReporting license usage
license_poolSpecifies the license poolString. Example: cloud_api.0Reporting license usage
linecountSplunk Default field

punctSplunk Default field

sourceSplunk Default field

sourcetypeSplunk Default field

splunk_serverSplunk Default field

splunk_server_groupSplunk Default field

timeendposCommon extracted fields

timestampIndicates the timestampTimestampReporting license usage
timestartposCommon extracted fields

utilizationSpecifies the utilizationIntegerReporting license usage
viewSpecifies the DNS viewString

...

Wiki Markup
Note: *psrsvd* stands for *prestats reserved{*}. Syntax is psrsvd_\[type\]_\[fieldname\]. These special fields are added by Splunk to summary index data that begins with *psrsvd* when you initiate search using the *si** command to populate a summary index. See [List of available psrsvd types|http://docs.splunk.com/Documentation/Splunk/latest/Knowledge/Usesummaryindexing] from Splunk docs.
Extracted Field NameDescription of the fieldReportsValues/RangeSource of DataRemarks
CLIENTSpecifies the IP address of the DNS client
Example: 10.39.18.60

COUNTSpecifies the count of DNS queriessi_dns_top_clientsInteger


Specifies the count of SERVFAIL errors that are received for DNS clientssi_top_servfail_received_queriesInteger


Specifies the count of NXDOMAIN/NOERROR replies for DNS clientssi_top_nxdomain_queryInteger


Specifies the count of DNS domain name requestssi_dns_requested_domainInteger


Specifies the count of DNS queries per secondsi_dns_qps_trendInteger


Specifies the count of DNS SERVFAIL errors that are sent for DNS queriessi_top_servfail_sent_queriesInteger


Specifies the count of DNS timed-out recursive queriessi_top_timeout_queriesInteger


Specifies the average count of DNS RPX hitssi_dns_rpz_hitsInteger


Specifies the count of DNS clients per domainsi_top_clients_per_domainInteger

EACommon Extracted fields



FQDNSpecifies the fully qualified domain namesi_dns_requested_domain
,
and
si_top_clients_per_domain		Example: 213.31.102.10.in-addr.arpa

HWTYPECommon Extracted fields



MAX_DB_OBJECTSCommon Extracted fields



MAX_DHCP_LPSCommon Extracted fields



MAX_DNS_QPSCommon Extracted fields



MEMBERSpecifies the member
StringInfoblox DNS Summary
MEMBER_IPCommon Extracted fields



TLDSpecifies top level domain namessi_dns_requested_domainExample: arpa

TYPESpecifies the DNS response typesi_dns_query_reply,
si_dns_qps_trend, and
si_ddns_update		SUCCESS/NOERROR
or
OR
REFERRAL
or
OR
NXRRSET
or
OR
NXDOMAIN
or
OR
REFUSED
or
OR
OTHER

VIEWIt refers to the DNS view key to map DNS view through lookup. See display_name field.si_dns_requested_domain,
si_dns_top_clients,
si_dns_member_qps_trend_per_hour,

si_dns_member_qps_trend_per_day,
si_dns_member_qps_trend,
si_dns_qps_trend,
si_ddns_update,
si_dns_cache_hit_ratio,
si_dns_rpz_hits,
si_top_clients_per_domain,
si_top_timeout_queries,
si_top_servfail_sent_queries,
si_top_nxdomain_query, and
si_top_servfail_received_queries		Example: _default

date_hourSplunk Default field



date_mdaySplunk Default field



date_minuteSplunk Default field



date_monthSplunk Default field



date_secondSplunk Default field



date_wdaySplunk Default field



date_yearSplunk Default field



date_zoneSplunk Default field



display_nameSpecifies the DNS viewsi_dns_requested_domain,
si_dns_top_clients,
si_dns_member_qps_trend_per_hour,
si_dns_member_qps_trend_per_day,
si_dns_member_qps_trend,
si_dns_qps_trend,
si_ddns_update,
si_dns_cache_hit_ratio,
si_dns_rpz_hits,
si_top_clients_per_domain,
si_top_timeout_queries,
si_top_servfail_sent_queries,
si_top_nxdomain_query, and
si_top_servfail_received_queries		Example: default.MS-2016

Lookup from dns_viewkey_displayname.csv
using the VIEW field value

eventtypeSplunk Default field



hostSplunk Default field



indexSplunk Default field



info_max_timeCommon summary index fields



info_min_timeCommon summary index fields



info_search_timeCommon summary index fields



linecountSplunk Default field



orig_hostSpecifies the host name of the data source
Example: infoblox.com
Splunk added default field
psrsvd_ct_COUNTHere, ct = count.

Contains
It contains the count information for the COUNT field.si_dns_query_reply
,
and si_dns_qps_trend

Splunk added special field
psrsvd_ct_LATENCYContains the count information for the LATENCY fieldsi_dns_response_latency_trend

Splunk added special field
psrsvd_ct_QCOUNTContains the count information for the QCOUNT field

si_dns_member_qps_trend_per_hour,
si_dns_member_qps_trend_per_day,
and si_dns_member_qps_trend



Splunk added special field
psrsvd_gcHere, gc = group count. It indicates the count for stats
"
grouping
"
and it is not scoped to a single field.

si_dns_query_reply,
si_dns_response_latency_trend,
si_dns_member_qps_trend_per_hour,
si_dns_member_qps_trend_per_day,
si_dns_member_qps_trend, and
si_dns_qps_trend



Splunk added special field
psrsvd_nc_COUNTHere, nc = numerical count. It indicates the number of numerical values and contains the numerical count information for the COUNT field.si_dns_query_reply
,
and
si_dns_qps_trend

Splunk added special field
psrsvd_nc_LATENCYContains the numerical count information for the LATENCY fieldsi_dns_response_latency_trend

Splunk added special field
psrsvd_nc_QCOUNTContains the numerical count information for the QCOUNT field

si_dns_member_qps_trend_per_hour,
si_dns_member_qps_trend_per_day,
and si_dns_member_qps_trend



Splunk added special field
psrsvd_nx_QCOUNTHere, nx = maximum numerical value.
Contains
It contains the maximum numerical value information for the QCOUNT field.

si_dns_member_qps_trend_per_hour

,

and
si_dns_member_qps_trend_per_day



Splunk added special field
psrsvd_sm_COUNTHere, sm = sum. Contains the sum information for the COUNT field.

si_dns_query_reply

,

and
si_dns_qps_trend



Splunk added special field
psrsvd_sm_LATENCYContains the sum information for the LATENCY field.si_dns_response_latency_trend

Splunk added special field
psrsvd_sm_QCOUNTContains the sum information for the QCOUNT field

si_dns_member_qps_trend_per_hour,
si_dns_member_qps_trend_per_day,
and si_dns_member_qps_trend



Splunk added special field
psrsvd_sx_QCOUNTHere, sx = maximum lexicographical value.
Contains
It contains the maximum lexicographical value information for the QCOUNT field

si_dns_member_qps_trend_per_hour

,


and si_dns_member_qps_trend_per_day



Splunk added special field
psrsvd_vHere, v =
versio
version. This is not scoped to a single field.

si_dns_query_reply,
si_dns_response_latency_trend,
si_dns_member_qps_trend_per_hour,
si_dns_member_qps_trend_per_day,
si_dns_member_qps_trend, and
si_dns_qps_trend



Splunk added special field
psrsvd_vt_COUNTHere, vt = value type. Contains precision of the associated field.
This field contains precision of the COUNT field.		si_dns_query_reply
,
and
si_dns_qps_trend

Splunk added special field
psrsvd_vt_LATENCYContains precision of the LATENCY fieldsi_dns_response_latency_trend

Splunk added special field
psrsvd_vt_QCOUNTContains precision of the QCOUNT field

si_dns_member_qps_trend_per_hour,
si_dns_member_qps_trend_per_day,
and si_dns_member_qps_trend



Splunk added special field
reportContains the name of the report that populates the summary index




DNS Scavenge Object Count Trend datasi_dns_reclaimed_object_count_trend



DNS Top Clients report datasi_dns_top_clients



DNS Replies Trend datasi_dns_query_reply



DNS Top SERVFAIL Errors Received Report datasi_top_servfail_received_queries



DNS Response Latency Trend datasi_dns_response_latency_trend



DNS Daily Peak Hour Query Rate by Member Report datasi_dns_member_qps_trend_per_hour



DNS Top NXDOMAIN / NOERROR (no data) Report datasi_top_nxdomain_query



DNS Daily Query Rate by Member Report datasi_dns_member_qps_trend_per_day



DNS Query Rate by Member Report datasi_dns_member_qps_trend



DNS Top Requested Domain Names Report datasi_dns_requested_domain



DNS Queries Per Second Trend datasi_dns_qps_trend



DNS Top SERVFAIL Errors Sent Report datasi_top_servfail_sent_queries



DDNS Update Rate Trend datasi_ddns_update



DNS Cache Hit Rate Trend datasi_dns_cache_hit_ratio



DNS Top Timed-Out Recursive Queries Report datasi_top_timeout_queries



DNS RPZ Hits Reports datasi_dns_rpz_hits



DNS Top Clients per Domain Report datasi_top_clients_per_domain


search_nameCommon summary index fields



search_nowCommon summary index fields



sourceSplunk Default field



sourcetypeSplunk Default field



splunk_serverSplunk Default field



splunk_server_groupSplunk Default field



timeendposCommon extracted fields



timestartposCommon extracted fields



Infoblox DHCP Summary

Extracted Field NameDescription of the fieldReportsValues/RangeSource of DataRemarks
ACTIONSpecifies the action
String. Example: IssuedInfoblox DHCP summary
DEVICE_CLASSSpecifies the device class
String. Example: Linux

fingerprint_device_class_lookup
lookup from /storage/splunk/etc
/apps/infoblox/lookups/fingerprint
_device_class_map.csv with FP value
as input
OR
os_number_fingerprint_lookup lookup
from /storage/splunk/etc/apps/infoblox
/lookups/os_number_fingerprint_device_
class_map.csv with OS_NUMBER value
as input


DHCP_RANGESpecifies the DHCP range
Network range. Example: 10.0.0.1-10.0.0.200

Evaluated from the start_address
and end_address field values


EACommon Extracted fields



FPSpecifies the fingerprint data
String. Example: No MatchInfoblox DHCP summary
HWTYPECommon Extracted fields



LEASED_IPSpecifies the lease IP address
IP addressInfoblox DHCP summary
MAC_DUIDSpecifies the MAC address
MAC addressInfoblox DHCP summary
MAX_DB_OBJECTSCommon Extracted fields



MAX_DHCP_LPSCommon Extracted fields



MAX_DNS_QPSCommon Extracted fields



MEMBER_IPCommon Extracted fields



ProtocolSpecifies the DHCP protocol
String. Example: IPV4Infoblox DHCP summary
SFPSpecifies the SFP
String. Example: Ubuntu/Debian 5/Knoppix 6

os_number_fingerprint_lookup lookup
from /storage/splunk/etc/apps/infoblox/
lookups/os_number_fingerprint_device_
class_map.csv
with OS_NUMBER value as input


VIEWIt refers to the DNS view key to map the DNS view through lookup. See display_name field
String

date_hourSplunk Default field



date_mdaySplunk Default field



date_minuteSplunk Default field



date_monthSplunk Default field



date_secondSplunk Default field



date_wdaySplunk Default field



date_yearSplunk Default field



date_zoneSplunk Default field



dhcp_utilization_statusSpecifies the DHCP utilization status
StringInfoblox DHCP summary
display_nameSpecifies the DNS view
String

DNS View Lookup from
dns_viewkey_displayname.csv
using the View field value


end_addressSpecifies the end IP address
IP addressInfoblox DHCP summary
eventtypeSplunk Default field



hostSplunk Default field



indexSplunk Default field



info_max_timeCommon summary index fields



info_min_timeCommon summary index fields



info_search_timeCommon summary index fields



linecountSplunk Default field



membersSpecifies the DHCP member
String. Example: infoblox.localdomainInfoblox DHCP summary
ms_serversSpecifies the MS servers
IP addressInfoblox DHCP summary
orig_hostSpecifies the host name of the data source
Example: infoblox.com
Splunk added default field

psrsvd_ct_FREE_
ADDRESSES

Specifies the count information for FREE_ADDRESSES fieldsi_dhcp_usage_trend

Splunk added special field
psrsvd_ct_dhcp_utilizationSpecifies the count for dhcp_utilization field

si_dhcp_range_utilization
_trend



Splunk added special field
psrsvd_ct_dynamic_hostsSpecifies the count for dynamic_hosts fieldsi_dhcp_usage_trend

Splunk added special field
psrsvd_ct_static_hostsSpecifies the count for static_hosts fieldsi_dhcp_usage_trend

Splunk added special field
psrsvd_ct_v4ackSpecifies the count for v4ack fieldsi-search-dhcp-message

Splunk added special field
psrsvd_ct_v4declineSpecifies the count for v4decline fieldsi-search-dhcp-message

Splunk added special field
psrsvd_ct_v4discoverSpecifies the count for v4discover fieldsi-search-dhcp-message

Splunk added special field
psrsvd_ct_v4informSpecifies the count for v4inform fieldsi-search-dhcp-message

Splunk added special field
psrsvd_ct_v4leaseactiveSpecifies the count for v4leaseactive fieldsi-search-dhcp-message

Splunk added special field
psrsvd_ct_v4leasequerySpecifies the count for v4leasequery fieldsi-search-dhcp-message

Splunk added special field
psrsvd_ct_v4leaseunassignedSpecifies the count for v4leaseunassigned fieldsi-search-dhcp-message

Splunk added special field
psrsvd_ct_v4leaseunknownSpecifies the count for v4leaseunknown fieldsi-search-dhcp-message

Splunk added special field
psrsvd_ct_v4nakSpecifies the count for
v4nak field		si-search-dhcp-message

Splunk added special field
psrsvd_ct_v4offerSpecifies the count for v4offer fieldsi-search-dhcp-message

Splunk added special field
psrsvd_ct_v4releaseSpecifies the count for v4release fieldsi-search-dhcp-message

Splunk added special field
psrsvd_ct_v4requestSpecifies the count for v4request fieldsi-search-dhcp-message

Splunk added special field
psrsvd_ct_v6advertiseSpecifies the count for v6advertise fieldsi-search-dhcp-message

Splunk added special field
psrsvd_ct_v6confirmSpecifies the count for v6confirm fieldsi-search-dhcp-message

Splunk added special field
psrsvd_ct_v6declineSpecifies the count for v6decline fieldsi-search-dhcp-message

Splunk added special field

psrsvd_ct_v6information_
request

Specifies the count for v6information_request fieldsi-search-dhcp-message

Splunk added special field
psrsvd_ct_v6leasequerySpecifies the count for v6leasequery fieldsi-search-dhcp-message

Splunk added special field

psrsvd_ct_v6leasequery_
reply

Specifies the count for v6leasequery_reply fieldsi-search-dhcp-message

Splunk added special field
psrsvd_ct_v6rebindSpecifies the count for v6rebind fieldsi-search-dhcp-message

Splunk added special field
psrsvd_ct_v6reconfigureSpecifies the count for v6reconfigure fieldsi-search-dhcp-message

Splunk added special field
psrsvd_ct_v6relay_forwardSpecifies the count for v6relay_forward fieldsi-search-dhcp-message

Splunk added special field
psrsvd_ct_v6relay_replySpecifies the count for v6relay_reply fieldsi-search-dhcp-message

Splunk added special field
psrsvd_ct_v6releaseSpecifies the count for v6release fieldsi-search-dhcp-message

Splunk added special field
psrsvd_ct_v6renewSpecifies the count for v6renew fieldsi-search-dhcp-message

Splunk added special field
psrsvd_ct_v6replySpecifies the count for v6reply fieldsi-search-dhcp-message

Splunk added special field
psrsvd_ct_v6requestSpecifies the count for v6request fieldsi-search-dhcp-message

Splunk added special field
psrsvd_ct_v6solicitSpecifies the count for v6solicit fieldsi-search-dhcp-message

Splunk added special field
psrsvd_gcHere, gc = group count. The count for stats grouping and not scoped to a single field.




Splunk added special field

psrsvd_nc_FREE_
ADDRESSES

Specifies the numerical count for FREE_ADDRESSES fieldsi_dhcp_usage_trend

Splunk added special field
psrsvd_nc_dhcp_utilizationSpecifies the numerical count for dhcp_utilization fieldsi_dhcp_range_utilization_trend

Splunk added special field
psrsvd_nc_dynamic_hostsSpecifies the numerical count for dynamic_hosts fieldsi_dhcp_usage_trend

Splunk added special field
psrsvd_nc_static_hostsSpecifies the numerical count for static_hosts fieldsi_dhcp_usage_trend

Splunk added special field
psrsvd_nc_v4ackSpecifies the numerical count for v4ack fieldsi-search-dhcp-message

Splunk added special field
psrsvd_nc_v4declineSpecifies the numerical count for v4decline fieldsi-search-dhcp-message

Splunk added special field
psrsvd_nc_v4discoverSpecifies the numerical count for v4discover fieldsi-search-dhcp-message

Splunk added special field
psrsvd_nc_v4informSpecifies the numerical count for v4inform fieldsi-search-dhcp-message

Splunk added special field
psrsvd_nc_v4leaseactiveSpecifies the numerical count for v4leaseactive fieldsi-search-dhcp-message

Splunk added special field
psrsvd_nc_v4leasequerySpecifies the numerical count for v4leasequery fieldsi-search-dhcp-message

Splunk added special field
psrsvd_nc_v4leaseunassignedSpecifies the numerical count for v4leaseunassigned fieldsi-search-dhcp-message

Splunk added special field
psrsvd_nc_v4leaseunknownSpecifies the numerical count for v4leaseunknown fieldsi-search-dhcp-message

Splunk added special field
psrsvd_nc_v4nakSpecifies the numerical count for v4nak fieldsi-search-dhcp-message

Splunk added special field
psrsvd_nc_v4offerSpecifies the numerical count for ' v4offer ' fieldsi-search-dhcp-message

Splunk added special field
psrsvd_nc_v4releaseSpecifies the numerical count for 'v4release' fieldsi-search-dhcp-message

Splunk added special field
psrsvd_nc_v4requestSpecifies the numerical count for 'v4request' fieldsi-search-dhcp-message

Splunk added special field
psrsvd_nc_v6advertiseSpecifies the numerical count for v6advertise'' fieldsi-search-dhcp-message

Splunk added special field
psrsvd_nc_v6confirmSpecifies the numerical count for 'v6confirm' fieldsi-search-dhcp-message

Splunk added special field
psrsvd_nc_v6declineSpecifies the numerical count for 'v6decline' fieldsi-search-dhcp-message

Splunk added special field

psrsvd_nc_v6information_
request

Specifies the numerical count for 'v6information_request' fieldsi-search-dhcp-message


Splunk added special field
psrsvd_nc_v6leasequerySpecifies the numerical count for 'v6leasequery' fieldsi-search-dhcp-message

Splunk added special field
psrsvd_nc_v6leasequery_replySpecifies the numerical count for 'v6leasequery_reply' fieldsi-search-dhcp-message

Splunk added special field
psrsvd_nc_v6rebindSpecifies the numerical count for 'v6rebind' fieldsi-search-dhcp-message

Splunk added special field
psrsvd_nc_v6reconfigureSpecifies the numerical count for 'v6reconfigure' fieldsi-search-dhcp-message

Splunk added special field
psrsvd_nc_v6relay_forwardSpecifies the numerical count for 'v6relay_forward' fieldsi-search-dhcp-message

Splunk added special field
psrsvd_nc_v6relay_replySpecifies the numerical count for 'v6relay_reply' fieldsi-search-dhcp-message

Splunk added special field
psrsvd_nc_v6releaseSpecifies the numerical count for 'v6release' fieldsi-search-dhcp-message

Splunk added special field
psrsvd_nc_v6renewSpecifies the numerical count for 'v6renew' fieldsi-search-dhcp-message

Splunk added special field
psrsvd_nc_v6replySpecifies the numerical count for 'v6reply' fieldsi-search-dhcp-message

Splunk added special field
psrsvd_nc_v6requestSpecifies the numerical count for 'v6request' fieldsi-search-dhcp-message

Splunk added special field
psrsvd_nc_v6solicitSpecifies the numerical count for 'v6solicit' fieldsi-search-dhcp-message

Splunk added special field

psrsvd_sm_FREE_
ADDRESSES

Specifies the sum for 'FREE_ADDRESSES' fieldsi_dhcp_usage_trend

Splunk added special field
psrsvd_sm_dhcp_utilizationSpecifies the sum for dhcp_utilization fieldsi_dhcp_range_utilization_trend

Splunk added special field
psrsvd_sm_dynamic_hostsSpecifies the sum for 'dynamic_hosts' fieldsi_dhcp_usage_trend

Splunk added special field
psrsvd_sm_static_hostsSpecifies the sum for 'static_hosts' fieldsi_dhcp_usage_trend

Splunk added special field
psrsvd_sm_v4ackSpecifies the sum for 'v4ack' fieldsi-search-dhcp-message

Splunk added special field
psrsvd_sm_v4declineSpecifies the sum for 'v4decline' fieldsi-search-dhcp-message

Splunk added special field
psrsvd_sm_v4discoverSpecifies the sum for 'v4discover' fieldsi-search-dhcp-message

Splunk added special field
psrsvd_sm_v4informSpecifies the sum for 'v4inform' fieldsi-search-dhcp-message

Splunk added special field
psrsvd_sm_v4leaseactiveSpecifies the sum for 'v4leaseactive' fieldsi-search-dhcp-message

Splunk added special field
psrsvd_sm_v4leasequerySpecifies the sum for 'v4leasequery' fieldsi-search-dhcp-message

Splunk added special field
psrsvd_sm_v4leaseunassignedSpecifies the sum for 'v4leaseunassigned' fieldsi-search-dhcp-message

Splunk added special field
psrsvd_sm_v4leaseunknownSpecifies the sum for 'v4leaseunknown' fieldsi-search-dhcp-message

Splunk added special field
psrsvd_sm_v4nakSpecifies the sum for 'v4nak' fieldsi-search-dhcp-message

Splunk added special field
psrsvd_sm_v4offerSpecifies the sum for 'v4offer' fieldsi-search-dhcp-message

Splunk added special field
psrsvd_sm_v4releaseSpecifies the sum for 'v4release' fieldsi-search-dhcp-message

Splunk added special field
psrsvd_sm_v4requestSpecifies the sum for 'v4request' fieldsi-search-dhcp-message

Splunk added special field
psrsvd_sm_v6advertiseSpecifies the sum for 'v6advertise' fieldsi-search-dhcp-message

Splunk added special field
psrsvd_sm_v6confirmSpecifies the sum for 'v6confirm' fieldsi-search-dhcp-message

Splunk added special field
psrsvd_sm_v6declineSpecifies the sum for 'v6decline' fieldsi-search-dhcp-message

Splunk added special field

psrsvd_sm_v6information_
request

Specifies the sum for 'v6information_request' fieldsi-search-dhcp-message

Splunk added special field
psrsvd_sm_v6leasequerySpecifies the sum for 'v6leasequery' fieldsi-search-dhcp-message

Splunk added special field
psrsvd_sm_v6leasequery_replySpecifies the sum for 'v6leasequery_reply' fieldsi-search-dhcp-message

Splunk added special field
psrsvd_sm_v6rebindSpecifies the sum for 'v6rebind' fieldsi-search-dhcp-message

Splunk added special field
psrsvd_sm_v6reconfigureSpecifies the sum for 'v6reconfigure' fieldsi-search-dhcp-message

Splunk added special field
psrsvd_sm_v6relay_forwardSpecifies the sum for 'v6relay_forward' fieldsi-search-dhcp-message

Splunk added special field
psrsvd_sm_v6relay_replySpecifies the sum for 'v6relay_reply' fieldsi-search-dhcp-message

Splunk added special field
psrsvd_sm_v6releaseSpecifies the sum for 'v6release' fieldsi-search-dhcp-message

Splunk added special field
psrsvd_sm_v6renewSpecifies the sum for 'v6renew' fieldsi-search-dhcp-message

Splunk added special field
psrsvd_sm_v6replySpecifies the sum for 'v6reply' fieldsi-search-dhcp-message

Splunk added special field
psrsvd_sm_v6requestSpecifies the sum for 'v6request' fieldsi-search-dhcp-message

Splunk added special field
psrsvd_sm_v6solicitSpecifies the sum for 'v6solicit' fieldsi-search-dhcp-message

Splunk added special field
psrsvd_vHere, v = version. This is not scoped to a single field.

si_dhcp_usage_trend,
si_dhcp_top_lease_client,
si_dhcp_range_utilization_trend,
si_dhcp_top_os_by_network, and
si-search-dhcp-message



Splunk added special field
psrsvd_vt_FREE_ADDRESSESContains precision of the 'FREE_ADDRESSES' fieldsi_dhcp_usage_trend

Splunk added special field
psrsvd_vt_dhcp_utilizationContains precision of the dhcp_utilization fieldsi_dhcp_range_utilization_trend

Splunk added special field
psrsvd_vt_dynamic_hostsContains precision of the 'dynamic_hosts' fieldsi_dhcp_usage_trend

Splunk added special field
psrsvd_vt_static_hostsContains precision of the 'static_hosts' fieldsi_dhcp_usage_trend

Splunk added special field
psrsvd_vt_v4ackContains precision of the 'v4ack' fieldsi-search-dhcp-message

Splunk added special field
psrsvd_vt_v4declineContains precision of the 'v4decline' fieldsi-search-dhcp-message

Splunk added special field
psrsvd_vt_v4discoverContains precision of the 'v4discover' fieldsi-search-dhcp-message

Splunk added special field
psrsvd_vt_v4informContains precision of the 'v4inform' fieldsi-search-dhcp-message

Splunk added special field
psrsvd_vt_v4leaseactiveContains precision of the 'v4leaseactive' fieldsi-search-dhcp-message

Splunk added special field
psrsvd_vt_v4leasequeryContains precision of the 'v4leasequery' fieldsi-search-dhcp-message

Splunk added special field
psrsvd_vt_v4leaseunassignedContains precision of the 'v4leaseunassigned' fieldsi-search-dhcp-message

Splunk added special field
psrsvd_vt_v4leaseunknownContains precision of the 'v4leaseunkown' fieldsi-search-dhcp-message

Splunk added special field
psrsvd_vt_v4nakContains precision of the 'v4nak' fieldsi-search-dhcp-message

Splunk added special field
psrsvd_vt_v4offerContains precision of the 'v4offer' fieldsi-search-dhcp-message

Splunk added special field
psrsvd_vt_v4releaseContains precision of the 'v4release' fieldsi-search-dhcp-message

Splunk added special field
psrsvd_vt_v4requestContains precision of the 'v4request' fieldsi-search-dhcp-message

Splunk added special field
psrsvd_vt_v6advertiseContains precision of the 'v6advertise' fieldsi-search-dhcp-message

Splunk added special field
psrsvd_vt_v6confirmContains precision of the 'v6confirm' fieldsi-search-dhcp-message

Splunk added special field
psrsvd_vt_v6declineContains precision of the 'v6decline' fieldsi-search-dhcp-message

Splunk added special field
psrsvd_vt_v6information_requestContains precision of the 'v6information_request' fieldsi-search-dhcp-message

Splunk added special field
psrsvd_vt_v6leasequeryContains precision of the 'v6leasequery' fieldsi-search-dhcp-message

Splunk added special field
psrsvd_vt_v6leasequery_replyContains precision of the 'v6leasequery_reply' fieldsi-search-dhcp-message

Splunk added special field
psrsvd_vt_v6rebindContains precision of the 'v6rebind' fieldsi-search-dhcp-message

Splunk added special field
psrsvd_vt_v6reconfigureContains precision of the 'v6reconfigure' fieldsi-search-dhcp-message

Splunk added special field
psrsvd_vt_v6relay_forwardContains precision of the 'v6relay_forward' fieldsi-search-dhcp-message

Splunk added special field
psrsvd_vt_v6relay_replyContains precision of the 'v6relay_reply' fieldsi-search-dhcp-message

Splunk added special field
psrsvd_vt_v6releaseContains precision of the 'v6release' fieldsi-search-dhcp-message

Splunk added special field
psrsvd_vt_v6renewContains precision of the 'v6renew' fieldsi-search-dhcp-message

Splunk added special field
psrsvd_vt_v6replyContains precision of the 'v6reply' fieldsi-search-dhcp-message

Splunk added special field
psrsvd_vt_v6requestContains precision of the 'v6request' fieldsi-search-dhcp-message

Splunk added special field
psrsvd_vt_v6solicitContains precision of the 'v6solicit' fieldsi-search-dhcp-message

Splunk added special field
reportName of the report that is populating the summary index




DHCP Message Rate Trend datasi-search-dhcp-message



DHCPv4 Usage Trend datasi_dhcp_usage_trend



DHCP Top Lease Clients report datasi_dhcp_top_lease_client



Top Devices Denied an IP Address report datasi_devices_denied_an_ip_address



DHCPv4 Range Utilization Trendsi_dhcp_range_utilization_trend



Device and Device Classes reports datasi_dhcp_top_os_by_network


search_nameCommon summary index fields



search_nowCommon summary index fields



sourceSplunk Default field



sourcetypeSplunk Default field



splunk_serverSplunk Default field



splunk_server_groupSplunk Default field



start_addressSpecifies the start IP address
IP addressInfoblox DHCP summary
timeendposCommon extracted fields



timestartposCommon extracted fields



ViewSpecifies the network view
String. Example: defaultInfoblox DHCP summary

Infoblox DTC Summary

Extracted Field NameDescription of the fieldReportsValues/RangeSource of DataRemarks
EACommon Extracted fields



HWTYPECommon Extracted fields



MAX_DB_OBJECTSCommon Extracted fields



MAX_DHCP_LPSCommon Extracted fields



MAX_DNS_QPSCommon Extracted fields



MEMBER_IPCommon Extracted fields



date_hourSplunk Default field



date_mdaySplunk Default field



date_minuteSplunk Default field



date_monthSplunk Default field



date_secondSplunk Default field



date_wdaySplunk Default field



date_yearSplunk Default field



date_zoneSplunk Default field



eventtypeSplunk Default field



hostSplunk Default field



indexSplunk Default field



info_max_timeCommon summary index fields



info_min_timeCommon summary index fields



info_search_timeCommon summary index fields



linecountSplunk Default field



MonitorSpecifies the monitor
String. Example: httpsInfoblox DTC summary
orig_hostSpecifies the host name of the data source
Example: infoblox.com
Splunk added default field
poolSpecifies the Pool
String. Example: PoolInfoblox DTC summary
psrsvd_ct_availableSpecifies the count information for available field

si_adns_resource_pool_

availabilitysi

availability
and
si_smart_dns_resource_availability



Splunk added special field
psrsvd_ct_response_countSpecifies the count information for 'responce_count' fieldsi_dtc_response_distribution

Splunk added special field
psrsvd_ct_unavailableSpecifies the count information for 'unavailable' field

si_adns_resource_pool_

availabilitysi

availability
and
si_smart_dns_resource_availability



Splunk added special field
psrscd_ct_valueSpecifies the count information for 'value' fieldsi_smart_dns_resource_snmp

Splunk added special field
psrsvd_gcHere, gc = group count. This is the count for stats
"
grouping
"
and not scoped to a single field.

si_dtc_response_

distributionsi

distribution,
si_smart_dns_resource_

snmpsi

snmp,
si_adns_resource_pool_

availabilitysi

availability,
and
si_smart_dns_resource_availability



Splunk added special field
psrsvd_nc_availableSpecifies the numerical count information for 'available' field

si_adns_resource_pool_

availabilitysi

availability
and
si_smart_dns_resource_availability



Splunk added special field
psrsvd_nc_response_countSpecifies the numerical count information for 'response_count' fieldsi_dtc_response_distribution

Splunk added special field
psrsvd_nc_unavailableSpecifies the numerical count information for 'unavailable' field

si_adns_resource_pool_

availabilitysi

availability
and
si_smart_dns_resource_availability



Splunk added special field
psrsvd_nc_valueSpecifies the numerical count information for 'value' fieldsi_smart_dns_resource_snmp

Splunk added special field
psrsvd_sm_availableSpecifies the sum information for 'available' field

si_adns_resource_pool_

availabilitysi

availability
and
si_smart_dns_resource_availability



Splunk added special field
psrsvd_sm_response_countSpecifies the sum information for 'response_count' fieldsi_dtc_response_distribution

Splunk added special field
psrsvd_sm_unavailableSpecifies the sum information for 'unavailable' field

si_adns_resource_pool_

availabilitysi

availability and
si_smart_dns_resource_availability



Splunk added special field
psrsvd_sm_valueSpecifies the sum information for 'value' fieldsi_smart_dns_resource_snmp

Splunk added special field
psrsvd_vHere, v = version. This is not scoped to a single field.

si_dtc_response_

distributionsi

distribution,
si_smart_dns_resource_

snmpsi

snmp,
si_adns_resource_pool_

availabilitysi

availability, and
si_smart_dns_resource_availability



Splunk added special field
psrsvd_vt_availableContains precision of the 'available' field

si_adns_resource_pool_

availabilitysi

availability and
si_smart_dns_resource_availability



Splunk added special field
psrsvd_vt_response_count
Contains precision of the response_count
Anchor_GoBack_GoBack
field
si_dtc_response_distribution

Splunk added special field
psrsvd_vt_unavailableContains precision of the unavailable field

si_adns_resource_pool_

availabilitysi

availability and
si_smart_dns_resource_availability



Splunk added special field
psrsvd_vt_valueContains precision of the value fieldsi_smart_dns_resource_snmp

Splunk added special field
reportName of the report that populates the summary index




DNS Traffic Control Response Distribution Trend datasi_dtc_response_distribution



DNS Traffic Control Resource Pool Availability reports datasi_adns_resource_pool_availability



DNS Traffic Control Resource SNMP reports datasi_smart_dns_resource_snmp



DNS Traffic Control Resource Availability reports datasi_smart_dns_resource_availability


resourceSpecifies the resource
String. Example: ServerInfoblox DTC summary
search_nameCommon summary index fields



search_nowCommon summary index fields



sourceSplunk Default field



sourcetypeSplunk Default field



splunk_serverSplunk Default field



splunk_server_groupSplunk Default field



timeendposCommon extracted fields



timestartposCommon extracted fields



Infoblox System Summary

Extracted Field NameDescription of the fieldReportsValues/RangeSource of DataRemarks
EACommon Extracted fields



HWTYPECommon Extracted fields



MAX_DB_OBJECTSCommon Extracted fields



MAX_DHCP_LPSCommon Extracted fields



MAX_DNS_QPSCommon Extracted fields



MEMBERSpecifies the member
String. Example: infoblox.localdomain: inboundEvaluated from 'host' and 'sys_report_id' field values
MEMBER_IPCommon Extracted fields



date_hourSplunk Default field



date_mdaySplunk Default field



date_minuteSplunk Default field



date_monthSplunk Default field



date_secondSplunk Default field



date_wdaySplunk Default field



date_yearSplunk Default field



date_zoneSplunk Default field



eventtypeSplunk Default field



hostSplunk Default field



indexSplunk Default field



info_max_timeCommon summary index fields



info_min_timeCommon summary index fields



info_search_timeCommon summary index fields



linecountSplunk Default field



orig_hostSpecifies the host name of the data source
Example: infoblox.com
Splunk added default field
psrsvd_ct_CPU_PERCENTSpecifies the count information for the CPU_PERCENT fieldsi_cpu_usage

Splunk added special field
psrsvd_ct_MEMORY_PERCENTSpecifies the count information for the MEMORY_PERCENT fieldsi_memory_utilization

Splunk added special field
psrsvd_ct_TRAF_VALUESpecifies the count information for TRAF_VALUE fieldsi_traffic_rate

Splunk added special field
psrsvd_gcHere, gc = group count. This is the count for a stats "grouping," and not scoped to a single field.

si_memory_

utilizationsi

utilization,
si_traffic_

ratesi

rate, and
si_cpu_usage



Splunk added special field
psrsvd_nc_CPU_PERCENTSpecifies the numerical count information for CPU_PERCENT fieldsi_cpu_usage

Splunk added special field
psrsvd_nc_MEMORY_PERCENTSpecifies the numerical count information for MEMORY_PERCENT fieldsi_memory_utilization

Splunk added special field
psrsvd_nc_TRAF_VALUESpecifies the numerical count information for TRAF_VALUE fieldsi_traffic_rate

Splunk added special field
psrsvd_sm_CPU_PERCENTSpecifies the sum for CPU_PERCENT fieldsi_cpu_usage

Splunk added special field
psrsvd_sm_MEMORY_PERCENTSpecifies the sum for MEMORY_PERCENT fieldsi_memory_utilization

Splunk added special field
psrsvd_sm_TRAF_VALUESpecifies the sum for TRAF_VALUE fieldsi_traffic_rate

Splunk added special field
psrsvd_vHere, v = version. This is not scoped to a single field.

si_memory_

utilizationsi

utilization,
si_traffic_

ratesi

rate, and
si_cpu_usage



Splunk added special field
psrsvd_vt_CPU_PERCENTContains precision of the CPU_PERCENT fieldsi_cpu_usage

Splunk added special field
psrsvd_vt_MEMORY_PERCENTContains precision of the MEMORY_PERCENT fieldsi_memory_utilization

Splunk added special field
psrsvd_vt_TRAF_VALUEContains precision of the TRAF_VALUE fieldsi_traffic_rate

Splunk added special field
reportSpecifies the name of the report that is populating the summary index




Index Disk Usage Report Datasi_index_disk_usage



Memory Utilization Trend datasi_memory_utilization



Traffic Rate by Member report datasi_traffic_rate



CPU Utilization Trend datasi_cpu_usage


search_nameCommon summary index fields



search_nowCommon summary index fields



sourceSplunk Default field



sourcetypeSplunk Default field



splunk_serverSplunk Default field



splunk_server_groupSplunk Default field



timeendposCommon extracted fields



timestartposCommon extracted fields



Infoblox Security Summary

Extracted Field NameDescription of the fieldReportsValues/RangeSource of DataRemarks
ACTIVE_COUNTSpecifies the active count
IntegerInfoblox security summary
BLOCK_ENDSpecifies the block end IP address
IntegerInfoblox security summary
BLOCK_STARTSpecifies the block start IP address
IntegerInfoblox security summary
DNST_CATEGORYSpecifies the destination category
String'atp_rule_sid_lookup' lookup from /tmp/reporting_atp_conf/atp_rule_sid_lookup.csv with 'RULE_SID' value as input
EACommon Extracted fields



HWTYPECommon Extracted fields



MAX_DB_OBJECTSCommon Extracted fields



MAX_DHCP_LPSCommon Extracted fields



MAX_DNS_QPSCommon Extracted fields



MEMBER_IPCommon Extracted fields



NAT_STATUSSpecifies the NAT status
StringInfoblox security summary
RULE_DESCRIPTIONSpecifies the rule description
String. Example: This rule drops unexpected OSPF packets when OSPF is disabled.'atp_rule_sid_lookup' lookup from /tmp/reporting_atp_conf/atp_rule_sid_lookup.csv with 'RULE_SID' value as input
RULE_NAMESpecifies the rule name
String. Example: DROP OSPF unexpected'atp_rule_sid_lookup' lookup from /tmp/reporting_atp_conf/atp_rule_sid_lookup.csv with 'RULE_SID' value as input
RULE_SIDSpecifies the rule SID
IntegerInfoblox security summary
SOURCE_IPSpecifies the source IP
IP addressInfoblox security summary
SOURCE_PORTSpecifies the source port
IntegerInfoblox security summary
date_hourSplunk Default field



date_mdaySplunk Default field



date_minuteSplunk Default field



date_monthSplunk Default field



date_secondSplunk Default field



date_wdaySplunk Default field



date_yearSplunk Default field



date_zoneSplunk Default field



eventtypeSplunk Default field



hostSplunk Default field



indexSplunk Default field



info_max_timeCommon summary index fields



info_min_timeCommon summary index fields



info_search_timeCommon summary index fields



linecountSplunk Default field



orig_hostSpecifies the host name of the data source
Example: infoblox.com
Splunk added default field
reportName of the report that is populating the summary index




DNS Tunneling Activity Reports datasi_dns_tunneling_activity


search_nameCommon summary index fields



search_nowCommon summary index fields



sourceSplunk Default field



sourcetypeSplunk Default field



splunk_serverSplunk Default field



splunk_server_groupSplunk Default field



timeendposCommon extracted fields



timestartposCommon extracted fields



When to Update?

You must update this document in the following scenarios of the reporting data model:

...