Reporting Data Model
- Shwetha S
This section contains information about fields that are included in the reports and dashboards. You can find the commonly extracted fields and their specifications such as data source and range, which can help you better define your dashboards and searches.
Splunk default fields
Splunk server adds the following default fields to each event in every index.
Field Name | Description | Values/Range |
date_hour | Indicates the hour when an event occurred. To narrow your search for specific event timestamps, you can use the default datetime fields. Click here for more information on datetime fields. | Range: 0-23 |
date_mday | Indicates the day of the month when the event occurred | Range: 1-31 |
date_minute | Indicates the exact minute when the event occurred | Range: 0-59 |
date_month | Indicates the month during which an event occurred | |
date_second | Indicates the second in which an event occurred | Range: 0-59 |
date_wday | Indicates the day of the week in which an event occurred | Example: Sunday, Monday, etc. |
date_year | Indicates the year in which an event occurred | |
date_zone | Indicates the time for the local timezone of an event, expressed as hours in Unix Time | |
eventtype | Indicates events of the same type based on a given search. Click here for more information. | Example: splunkd-log |
host | Contains information about the originating hostname or a network IP address that generates the event | Example: reporting-1.com |
index | Contains the name of the index with which a given event is indexed | Example: ib_dns_summary |
linecount | Contains information about the number of lines in an event before it is indexed | Example: 1 |
punct | Contains information about the pattern of the first thirty punctuation characters in the first line of the event with which it is associated. It shows how an event looks when all letters, numbers, and spaces are removed and contains characters such as periods, colons, parentheses, quotes, question marks, dashes, and underscores. Click here for more information. | Example: -_::._\[\]:___.../_= |
source | Contains the name of the file, stream, or other input details from which the event originates | Example: si-search-dns-query-reply |
sourcetype | Specifies the format of data input from which the event originates | Stash |
splunk_server | Contains the name of the Splunk server that comprises the event | Example: reporting-2.com-2-<secondary server> |
splunk_server_group | Contains the name of the Splunk server group | String |
Commonly Extracted Fields
Field Name | Description | Values/Range |
EA | Specifies the extensible attribute | String |
HWTYPE | Specifies the hardware type | Example: IB-4015 |
MAX_DB_OBJECTS | Specifies the maximum objects in the database for a host | eg: 8000000 |
MAX_DHCP_LPS | Specifies the maximum number of DHCP leases per second for a host | Example: 15.0 |
MAX_DNS_QPS | Specifies the maximum DNS queries per second for a host | Example: 1000000.0 |
MEMBER_IP | Specifies the IP address of the member | IP address |
timeendpos | Specifies the byte at which the timestamp ends. These values are based on the TIME_FORMAT that is specified for a sourcetype. | Example: 26 |
timestartpos | Specifies the byte at which the timestamp starts | Example: 0 |
Indexes and Extracted Data
Infoblox Audit Logs
Most of the fields in this index are extracted directly from the audit.log file. Some of them are mentioned in the table below:
Extracted Field Name | Description of the field | Values/Range | Source of Data |
ACTION | Indicates the action taken | String. Example: Called | Infoblox audit logs |
ADMIN | Indicates the name of the admin | String. Example: root | Infoblox audit logs |
EA | Common Extracted Fields | ||
EXEC_STATUS | Indicates the execution status | String. Example: Pending Approval | Infoblox audit logs |
HWTYPE | Common Extracted Fields | ||
MAX_DB_OBJECTS | Common Extracted Fields | ||
MAX_DHCP_LPS | Common Extracted Fields | ||
MAX_DNS_QPS | Common Extracted Fields | ||
MEMBER_IP | Common Extracted Fields | ||
MESSAGE | Indicates the message | String. Example: to=Serial | Infoblox audit logs |
OBJECT_NAME | Indicates the object name | String. Example: RequestRestartServiceStatus | Infoblox audit logs |
OBJECT_TYPE | Indicates the object type | String. Example: Shared AAAA Record | Infoblox audit logs |
TIMESTAMP | Indicates the timestamp | Timestamp. Example: 2017-01-31 01:57:05 | Infoblox audit logs |
action | Indicates the action | Example: update, insert | Infoblox audit logs |
address | Example: 10.0.0.0 | Infoblox audit logs | |
auth | Example: Local | Infoblox audit logs | |
cidr | Example: 8 | Infoblox audit logs | |
code | Example: created | Infoblox audit logs | |
comment | String | Infoblox audit logs | |
date_hour | Splunk Default field | ||
date_mday | Splunk Default field. | ||
date_minute | Splunk Default field | ||
date_month | Splunk Default field | ||
date_second | Splunk Default field | ||
date_wday | Splunk Default field | ||
date_year | Splunk Default field | ||
date_zone | Splunk Default field | ||
eventtype | Splunk Default field | ||
group | Example: admin-group | Infoblox audit logs | |
host | Splunk Default field | ||
index | Splunk Default field | ||
linecount | Splunk Default field | ||
member | Example: Member:infoblox.localdomain | Infoblox audit logs | |
network_view | Example: default | Infoblox audit logs | |
punct | Splunk Default field | ||
source | Splunk Default field | ||
sourcetype | Splunk Default field | ||
splunk_server | Splunk Default field | ||
splunk_server_group | Splunk Default field | ||
user | Example: admin | Infoblox audit logs | |
Response_Time | Example: 0.1659 | Infoblox audit logs | |
URI | Example: v2.10/record:host | Infoblox audit logs | |
InData | Example: {'comment': 'this is my one.xyz comment', 'name': 'user.zone.com', 'ipv4addrs': [{'configure_for_dhcp': False, 'mac': 'aa:0:0:0:1:cc', 'ipv4addr': '1.1.1.0'}], 'view': 'default'} | Infoblox audit logs |
Infoblox DNS Query, DNS Performance, DDNS, DNS Record Scavenging
Extracted Field Name | Description of the field | Values/Range | Source of Data |
CLIENT | Indicates the DNS client | String | Infoblox DNS query |
COUNT | Indicates the count | Integer | Infoblox DNS query and DNS Record Scavenging |
EA | Common Extracted Fields | ||
FQDN | Indicates the FQDN | String | Infoblox DNS query |
HITS | Indicates the DNS cache hits count | Integer | Infoblox DNS query |
HNAME | Indicates the HNAME | String | Infoblox DNS query |
HWTYPE | Common Extracted Fields | ||
LATENCY | Indicates the latency count | Integer | Infoblox DNS performance |
MAX_DB_OBJECTS | Common Extracted Fields | ||
MAX_DHCP_LPS | Common Extracted Fields | ||
MAX_DNS_QPS | Common Extracted Fields | ||
MEMBER | Specifies the member | String | DNS Record Scavenging |
MEMBER_IP | Common Extracted fields | ||
MISSES | Specifies DNS cache miss count | Integer | Infoblox DNS query |
QCOUNT | Specifies query count | Integer | Infoblox DNS query |
REST | REST | String | Infoblox DDNS |
SOURCE | SOURCE | String | Infoblox DDNS |
SOURCEA | SOURCEA | IP address | Infoblox DDNS |
TLD | Specifies the top-level domain name | String | Infoblox DNS query |
TYPE | RR Type | String. Example: nxdomain | Infoblox DNS query and DNS Record Scavenging |
TYPEA | TYPEA | String. Example: Success | Infoblox DDNS |
VIEW | String | Infoblox DNS query | |
ZONE | Indicates the name of the zone | String | Infoblox DDNS |
date_hour | Splunk Default field | ||
date_mday | Splunk Default field | ||
date_minute | Splunk Default field | ||
date_month | Splunk Default field | ||
date_second | Splunk Default field | ||
date_wday | Splunk Default field | ||
date_year | Splunk Default field | ||
date_zone | Splunk Default field | ||
display_name | Specifies the name of the DNS view | String | . |
eventtype | Splunk Default field | ||
failure | Specifies the DNS FAILURE query count | Integer | |
host | Splunk Default field | ||
index | Splunk Default field | ||
linecount | Splunk Default field | ||
nxdomain | Specifies the DNS NXDOMAIN query count | Integer | |
nxrrset | Specifies the DNS NXRRSET query count | Integer | |
other | Specifies the DNS other query count | Integer | |
punct | Splunk Default field | ||
referral | Specifies the DNS REFERRAL query count | Integer | |
source | Splunk Default field | ||
sourcetype | Splunk Default field | ||
splunk_server | Splunk Default field | ||
splunk_server_group | Splunk Default field | ||
success | Specifies the DNS success query count | ||
timeendpos | Common Extracted Fields | ||
timestartpos | Common Extracted Fields |
Infoblox DNS Query Capture
Extracted Field Name | Description of the field | Values/Range | Source of Data |
EA | Common Extracted Fields | ||
HWTYPE | Common Extracted Fields | ||
MAX_DB_OBJECTS | Common Extracted Fields | ||
MAX_DHCP_LPS | Common Extracted Fields | ||
MAX_DNS_QPS | Common Extracted Fields | ||
MEMBER_IP | Common Extracted Fields | ||
answer_count | Specifies the answer count | Integer | Infoblox DNS query capture |
date_hour | Splunk Default field | ||
date_mday | Splunk Default field | ||
date_minute | Splunk Default field | ||
date_month | Splunk Default field | ||
date_second | Splunk Default field | ||
date_wday | Splunk Default field | ||
date_year | Splunk Default field | ||
date_zone | Splunk Default field | ||
display_name | Specifies the DNS view | String | |
eventtype | Splunk Default field | ||
flag_aa | Flag AA | Boolean. Example: Y | Infoblox DNS query capture |
flag_ad | Flag AD | Boolean. Example: Y | Infoblox DNS query capture |
flag_edns | Flag EDNS | Boolean. Example: Y | Infoblox DNS query capture |
flag_recursion | Flag Recursion | Boolean. Example: Y | Infoblox DNS query capture |
host | Splunk Default field | ||
host_class | Specifies the host class | Example: IN | Infoblox DNS query capture |
host_type | Specifies the host type | Example: PTR | Infoblox DNS query capture |
index | Splunk Default field | ||
linecount | Splunk Default field | ||
message_type | Specifies the message type | Example: Query or Response | Infoblox DNS query capture |
name | Specifies the name | Host name. Example: 1.0.0.127.in-addr.arpa | Infoblox DNS query capture |
query | Specifies the query | Host name. Example: 213.31.102.10.in-addr.arpa | Infoblox DNS query capture |
query_class | Specifies the query class | Example: IN | Infoblox DNS query capture |
query_count | Specifies the query count | Integer. Example: 1 | Infoblox DNS query capture |
query_source | Specifies the query source | Example: I, E | Infoblox DNS query capture |
query_type | Specifies the DNS query type | Example: PTR | Infoblox DNS query capture |
rdata | RDATA | String. This value depends on the query type. | Infoblox DNS query capture |
reply_code | Specifies the reply code | String. Example: ServFail, NoError | Infoblox DNS query capture |
source | Splunk Default field | ||
sourcetype | Splunk Default field | ||
splunk_server | Splunk Default field | ||
splunk_server_group | Splunk Default field | ||
src_ip | Specifies the source IP | IP Address | Infoblox DNS query capture |
src_port | Specifies the source port | Integer | Infoblox DNS query capture |
time_msec | Specifies time in milliseconds | Integer | Infoblox DNS query capture |
timeendpos | Common Extracted Fields | ||
timestamp | Indicates the timestamp | Integer | Infoblox DNS query capture |
timestartpos | Common Extracted Fields | ||
transport | Specifies the mode of transport | Example: UDP, TCP | Infoblox DNS query capture |
ttl | Specifies the TTL | Integer. Example: 3600 | Infoblox DNS query capture |
view | Specifies the view | Example: 1, 2 | Infoblox DNS query capture |
Infoblox DHCP Performance
Extracted Field Name | Description of the field | Values/Range | Source of Data |
EA | Common Extracted Fields | ||
HWTYPE | Common Extracted Fields | ||
MAX_DB_OBJECTS | Common Extracted Fields | ||
MAX_DHCP_LPS | Common Extracted Fields | ||
MAX_DNS_QPS | Common Extracted Fields | ||
MEMBER_IP | Common Extracted Fields | ||
NETWORK | Specifies the network address | Example: 10.0.0.0/8 | |
address | Specifies the DHCP client address | IP address | Infoblox DHCP performance |
address_total | Specifies the total number of addresses | Integer | Infoblox DHCP performance |
cidr | Specifies the CIDR | Example: 24 | Infoblox DHCP performance |
date_hour | Splunk Default field | ||
date_mday | Splunk Default field | ||
date_minute | Splunk Default field | ||
date_month | Splunk Default field | ||
date_second | Splunk Default field | ||
date_wday | Splunk Default field | ||
date_year | Splunk Default field | ||
date_zone | Splunk Default field | ||
dhcp_hosts | Specifies the DHCP hosts count | Integer | Infoblox DHCP performance |
dhcp_utilization | Specifies the DHCP utilization | Integer | Infoblox DHCP performance |
dhcp_utilization_status | Specifies the DHCP utilization status | String | Infoblox DHCP performance |
dhcpv4ack | Specifies the DHCPv4 ACK message count | Integer | Infoblox DHCP performance |
dhcpv4decline | Specifies the DHCPv4 decline message count | Integer | Infoblox DHCP performance |
dhcpv4discover | Specifies the DHCPv4 discover message count | Integer | Infoblox DHCP performance |
dhcpv4inform | Specifies the DHCPv4 inform message count | Integer | Infoblox DHCP performance |
dhcpv4leaseactive | Specifies the DHCPv4 lease active message count | Integer | Infoblox DHCP performance |
dhcpv4leasequery | Specifies the DHCPv4 lease query message count | Integer | Infoblox DHCP performance |
dhcpv4leaseunassigned | Specifies the DHCPv4 lease unassigned message count | Integer | Infoblox DHCP performance |
dhcpv4leaseunknown | Specifies the DHCPv4 lease unknown message count | Integer | Infoblox DHCP performance |
dhcpv4nak | Specifies the DHCPv4 NAK message count | Integer | Infoblox DHCP performance |
dhcpv4offer | Specifies the DHCPv4 offer message count | Integer | Infoblox DHCP performance |
dhcpv4release | Specifies the DHCPv4 release message count | Integer | Infoblox DHCP performance |
dhcpv4request | Specifies the DHCPv4 request message count | Integer | Infoblox DHCP performance |
dhcpv6advertise | Specifies the DHCPv6 advertise message count | Integer | Infoblox DHCP performance |
dhcpv6confirm | Specifies the DHCPv6 confirm message count | Integer | Infoblox DHCP performance |
dhcpv6decline | Specifies the DHCPv6 decline message count | Integer | Infoblox DHCP performance |
dhcpv6information_request | Specifies the DHCPv6 information request message count | Integer | Infoblox DHCP performance |
dhcpv6leasequery | Specifies the DHCPv6 lease query message count | Integer | Infoblox DHCP performance |
dhcpv6leasequery_reply | Specifies the DHCPv6 lease query reply message count | Integer | Infoblox DHCP performance |
dhcpv6rebind | Specifies the DHCPv6 rebind message count | Integer | Infoblox DHCP performance |
dhcpv6reconfigure | Specifies the DHCPv6 reconfigure message count | Integer | Infoblox DHCP performance |
dhcpv6relay_forward | Specifies the DHCPv6 relay forward message count | Integer | Infoblox DHCP performance |
dhcpv6relay_reply | Specifies the DHCPv6 relay reply message count | Integer | Infoblox DHCP performance |
dhcpv6release | Specifies the DHCPv6 release message count | Integer | Infoblox DHCP performance |
dhcpv6renew | Specifies the DHCPv6 renew message count | Integer | Infoblox DHCP performance |
dhcpv6reply | Specifies the DHCPv6 reply message count | Integer | Infoblox DHCP performance |
dhcpv6request | Specifies the DHCPv6 request message count | Integer | Infoblox DHCP performance |
dhcpv6solicit | Specifies the DHCPv6 solicit message count | Integer | Infoblox DHCP performance |
display_name | Specifies the DNS View | String | |
dynamic_hosts | Specifies the dynamic hosts count | Integer | Infoblox DHCP performance |
end_address | Specifies the end IP address | IP address | Infoblox DHCP performance |
eventtype | Splunk Default field | ||
host | Splunk Default field | ||
index | Splunk Default field | ||
linecount | Splunk Default field | ||
members | Specifies the DHCP member | Example: infoblox.localdomain | Infoblox DHCP performance |
ms_servers | Specifies the MS servers | IP address | Infoblox DHCP performance |
protocol | Specifies the DHCP protocol | Example: IPV4 | |
punct | Splunk Default field | ||
ranges | Specifies the DHCP ranges count | Integer | Infoblox DHCP performance |
source | Splunk Default field | ||
sourcetype | Splunk Default field | ||
splunk_server | Splunk Default field | ||
splunk_server_group | Splunk Default field | ||
start_address | Specifies the start IP address | IP address | Infoblox DHCP performance |
static_hosts | Specifies the static hosts count | Integer | Infoblox DHCP performance |
timeendpos | Common Extracted Fields | ||
timestamp | Specifies the timestamp of the event | Example: 2017-02-04 03:45:53 | Infoblox DHCP performance |
timestartpos | Common Extracted Fields | ||
View | Specifies the network view | Example: default | Infoblox DHCP performance |
Infoblox DHCP FingerPrint, DHCP Lease History
Extracted Field Name | Description of the field | Values/Range | Source of Data |
ACTION | Specifies the action | String. Example: Issued | Infoblox DHCP lease history |
CIDR | Specifies the CIDR | Integer | Infoblox DHCP lease history |
DEVICE_CLASS | Specifies the device class | String. Example: Linux | |
EA | Common Extracted Fields | ||
END_EPOCH | Specifies the end epoch time | Integer | Infoblox DHCP lease history |
FP | Specifies the name of the DHCP fingerprint | String. Example: No Match | Infoblox DHCP lease history |
FP_CIDR | Specifies the fingerprint CIDR | Integer. Example: 8 | Infoblox DHCP lease history |
FP_NW | Specifies the fingerprint network | Network address. Example: 10.0.0.0 | Infoblox DHCP lease history |
FP_RANGE | Specifies the fingerprint range | Network range. Example: 10.0.0.1-10.0.0.200 | Infoblox DHCP lease history |
FP_VIEW | Specifies the fingerprint view | String. Example: default | Infoblox DHCP lease history |
HWTYPE | Common Extracted fields | ||
LEASE_IP | Specifies the lease IP address | IP address | Infoblox DHCP lease history |
MAC_DUID | Specifies the MAC address | MAC address | Infoblox DHCP lease history |
MAX_DB_OBJECTS | Common Extracted fields | ||
MAX_DHCP_LPS | Common Extracted fields | ||
MAX_DNS_QPS | Common Extracted fields | ||
MEMBER_IP | Common Extracted fields | ||
MS Server | Specifies the MS server | IP Address | Infoblox DHCP lease history |
NW | Specifies the network | Network address. Example: 10.0.0.0 | Infoblox DHCP lease history |
OPTION12HOST | Specifies the host name that is sent using DHCP Option 12 | String. Example: Fedora21 | Infoblox DHCP lease history |
OS_NUMBER | Specifies the OS number | Integer | Infoblox DHCP lease history |
PROTO | Specifies the protocol | String. Example: dhcpd | Infoblox DHCP lease history |
SFP | SFP | String. Example: Ubuntu/Debian 5/Knoppix 6 | Infoblox DHCP fingerprint |
START_EPOCH | Specifies the start epoch time | Integer | Infoblox DHCP lease history |
VIEW | Specifies the view | Infoblox DHCP lease history | |
date_hour | Splunk Default field | ||
date_mday | Splunk Default field | ||
date_minute | Splunk Default field | ||
date_month | Splunk Default field | ||
date_second | Splunk Default field | ||
date_wday | Splunk Default field | ||
date_year | Splunk Default field | ||
date_zone | Splunk Default field | ||
display_name | Specifies the DNS view | String | |
eventtype | Splunk Default field | ||
host | Splunk Default field | ||
index | Splunk Default field | ||
linecount | Splunk Default field | ||
punct | Splunk Default field | ||
source | Splunk Default field | ||
sourcetype | Splunk Default field | ||
splunk_server | Splunk Default field | ||
splunk_server_group | Splunk Default field | ||
timeendpos | Common extracted fields | ||
timestartpos | Common extracted fields |
Infoblox DDI Utilization
Extracted Field | Description of the field | Values/Range | Source of Data |
EA | Common Extracted Fields | ||
HWTYPE | Common Extracted Fields | ||
MAX_DB_OBJECTS | Common Extracted Fields | ||
MAX_DHCP_LPS | Common Extracted Fields | ||
MAX_DNS_QPS | Common Extracted Fields | ||
MEMBER_IP | Common Extracted Fields | ||
address_alloc | Specifies the address allocation count | Integer | Infoblox DDI utilization |
address_assignable | Specifies the address assignable count | Integer | Infoblox DDI utilization |
address_assigned | Specifies the address assigned count | Integer | Infoblox DDI utilization |
address_conflicts | Specifies the address conflicts count | Infoblox DDI utilization | |
address_reserved | Specifies the address reserved count | Integer | Infoblox DDI utilization |
address_total | Specifies the total number of addresses | Integer | Infoblox DDI utilization |
address_unalloc | Specifies the address unallocation count | Integer | Infoblox DDI utilization |
address_unmanaged | Specifies the address unmanaged count | Integer | Infoblox DDI utilization |
allocation | Allocation | Integer | Infoblox DDI utilization |
cidr | Specifies the CIDR | Example: 24 | Infoblox DDI utilization |
date_hour | Splunk Default field | ||
date_mday | Splunk Default field | ||
date_minute | Splunk Default field | ||
date_month | Splunk Default field | ||
date_second | Splunk Default field | ||
date_wday | Splunk Default field | ||
date_year | Splunk Default field | ||
date_zone | Splunk Default field | ||
discovered_name | Specifies the discovered name | String | Infoblox DDI utilization |
display_name | Specifies the DNS view | String | |
eventtype | Splunk Default field | ||
first_discovered_timestamp | Specifies the first discovered timestamp | Timestamp | Infoblox DDI utilization |
host | Splunk Default field | ||
hosts | Specifies the address hosts count | Integer | Infoblox DDI utilization |
index | Splunk Default field | ||
ip_address | Specifies the IP address | IP Address | Infoblox DDI utilization |
last_discovered_timestamp | Specifies the last discovered timestamp | timestamp | Infoblox DDI utilization |
linecount | Splunk Default field | ||
managed | Indicates if managed or not | Boolean | Infoblox DDI utilization |
management_platform | Specifies the management platform | String | Infoblox DDI utilization |
members | Specifies the DHCP members | Example: infoblox.localdomain | Infoblox DDI utilization |
ms_primary | Specifies the MS primary | String | Infoblox DDI utilization |
port_vlan_name | Specifies the VLAN port name | String | Infoblox DDI utilization |
port_vlan_number | Specifies the VLAN port number | Integer | Infoblox DDI utilization |
network_view | Specifies the network view | String | Infoblox DDI utilization |
primary | Primary | FQDN | Infoblox DDI utilization |
protocol | Specifies the DHCP protocol | Example: IPV4 | Infoblox DDI utilization |
punct | Splunk Default field | ||
rr_a | Specifies the resource record A count | Integer | Infoblox DDI utilization |
rr_aaaa | Specifies the resource record AAAA count | Integer | Infoblox DDI utilization |
rr_cname | Specifies the resource record CNAME count | Integer | Infoblox DDI utilization |
rr_dhcid | Specifies the resource record DHCID count | Integer | Infoblox DDI utilization |
rr_dname | Specifies the resource record DNAME count | Integer | Infoblox DDI utilization |
rr_dnskey | Specifies the resource record DNSKEY count | Integer | Infoblox DDI utilization |
rr_ds | Specifies the resource record DS count | Integer | Infoblox DDI utilization |
rr_lbdn | Specifies the resource record LBDN count | Integer | Infoblox DDI utilization |
rr_mx | Specifies the resource record MX count | Integer | Infoblox DDI utilization |
rr_naptr | Specifies the resource record NAPTR count | Integer | Infoblox DDI utilization |
rr_ns | Specifies the resource record NS count | Integer | Infoblox DDI utilization |
rr_nsec | Specifies the resource record NSEC count | Integer | Infoblox DDI utilization |
rr_nsec3 | Specifies the resource record NSEC3 count | Integer | Infoblox DDI utilization |
rr_nsec3param | Specifies the resource record NSEC3PARAM count | Integer | Infoblox DDI utilization |
rr_other | Specifies the resource record OTHER count | Integer | Infoblox DDI utilization |
rr_ptr | Specifies the resource record PTR count | Integer | Infoblox DDI utilization |
rr_rrsig | Specifies the resource record RRSIG count | Integer | Infoblox DDI utilization |
rr_soa | Specifies the resource record SOA count | Integer | Infoblox DDI utilization |
rr_srv | Specifies the resource record SRV count | Integer | Infoblox DDI utilization |
rr_tlsa | Specifies the resource record TLSA count | Integer | Infoblox DDI utilization |
rr_total | Specifies the resource record TOTAL count | Integer | Infoblox DDI utilization |
rr_txt | Specifies the resource record TXT count | Integer | Infoblox DDI utilization |
signed | Indicates whether signed or not | Boolean | Infoblox DDI utilization |
source | Splunk Default field | ||
sourcetype | Splunk Default field | ||
splunk_server | Splunk Default field | ||
splunk_server_group | Splunk Default field | ||
timeendpos | Common Extracted Fields | ||
Timestamp | Specifies the timestamp of the event | Example: 2017-02-04 03:45:53 | Infoblox DDI utilization |
timestartpos | Common Extracted Fields | ||
utilization | Specifies the address utilization count | Integer | Infoblox DDI utilization |
view | Specifies the network view | Example: default | Infoblox DDI utilization |
zone_format | Specifies the zone format | String. Example: Forward-Mapping | Infoblox DDI utilization |
zone_name | Specifies the zone name | String. Example: member1.com | Infoblox DDI utilization |
zones_forward | Specifies the zone forward count | Integer | Infoblox DDI utilization |
zones_ipv4 | Specifies the IPv4 count of the zone | Integer | Infoblox DDI utilization |
zones_ipv6 | Specifies the IPv6 count of the zone | Integer | Infoblox DDI utilization |
zones_signed | Specifies the signed count of the zone | Integer | Infoblox DDI utilization |
Infoblox Discovered Devices Related Dashboards/Reports
Extracted Field Name | Description of the field | Values/Range | Source of Data |
ADM_DN_OP_DN_COUNT | Admin-Down/Operation-DownPort Count | Integer | Infoblox discovered devices related |
ADM_UP_OP_DN_COUNT | Admin-Up/Operation-UpPort Count | Integer | Infoblox discovered devices related |
ADM_UP_OP_UP_COUNT | Admin-Up/Operation-DownPort Count | Integer | Infoblox discovered devices related |
COMPONENT_NAME | Specifies the component name | String. Example: DELL-PC8024F | Infoblox discovered devices related |
COMPONENT_TYPE | Specifies the component type | String. Example: Switch-Router | Infoblox discovered devices related |
COMPONENT_PORT | Specifies the component port | String. Example: Gi1/0/24 | Infoblox discovered devices related |
DEVICE_MGMT_IP | Specifies the device management IP address | IP address | Infoblox discovered devices related |
DEVICE_MODEL | Specifies the device model | String. Example: EX2200 | Infoblox discovered devices related |
DEVICE_NAME | Specifies the device name | String. Example: Cisco_434f44 | Infoblox discovered devices related |
DEVICE_TYPE | Specifies the device type | String. Example: Switch, Router | Infoblox discovered devices related |
DEVICE_VENDOR | Specifies the device vendor | String. Example: Avaya | Infoblox discovered devices related |
DISCOVERED_MAC_DUID | Specifies the discovered MAC DUID | MAC address | Infoblox discovered devices related |
| Specifies the discoverd name | Example: dev_view1.yahoo.com | Infoblox discovered devices related |
EA | Common Extracted Fields | ||
HWTYPE | Common Extracted Fields | ||
IN_USE_FLAG | In use flag | Integer. Example: 1 | Infoblox discovered devices related |
IPADDR | Specifies the IP address | IP Address. Example: 11.11.11.11 | Infoblox discovered devices related |
IPADDR_MASK | Specifies the IP address mask | Integer. Example: 128 | Infoblox discovered devices related |
MAC_DUID | Specifies the MAC address | MAC address | Infoblox discovered devices related |
MAX_DB_OBJECTS | Common Extracted Fields | ||
MAX_DHCP_LPS | Common Extracted Fields | ||
MAX_DNS_QPS | Common Extracted Fields | ||
MEMBER_IP | Common Extracted Fields | ||
NETWORK_VIEW | Specifies the network view | String. Example: default | Infoblox discovered devices related |
NON_NULL_NAME | Specifies the non-null name | String. Example: DELL-PC8024F | |
NON_NULL_PORT | Specifies the non-null port | String. Example: Gi1/0/24 | |
TIMESTAMP | Specifies the timestamp | Timestamp. Example: 2017-02-15 15:56:27 | Infoblox discovered devices related |
TIMESTAMP_USER_HOST_ PROCESS_PID_INFO_PREFIX | Specifies the timestamp userhost process pid info prefix | String. Example: 2017-02-15T11:02:53+00:00 user infoblox.localdomain | Infoblox discovered devices related |
TOTAL_AVAIL_COUNT | Specifies the total available count | Integer | Infoblox discovered devices related |
Type | Specifies the type | String. Example: Discovery | |
ap_bss_mac | Access Point BSS MAC | MAC address | Infoblox discovered devices related |
ap_ip_dotted | Access Point IP dotted | String | Infoblox discovered devices related |
ap_mac | Access Point MAC | MAC address | Infoblox discovered devices related |
ap_name | Access Point name | String | Infoblox discovered devices related |
ap_associated_ssid | Access Point associated SSID | String | Infoblox discovered devices related |
asset_type | Specifies the asset type | String. Example: Physical Device | Infoblox discovered devices related |
class | Specifies the class name | String. Example: port | Infoblox discovered devices related |
component_name | Specifies the component name | String. Example: GigabitEthernet1/0/1 | Infoblox discovered devices related |
date_hour | Splunk Default field | ||
date_mday | Splunk Default field | ||
date_minute | Splunk Default field | ||
date_month | Splunk Default field | ||
date_second | Splunk Default field | ||
date_wday | Splunk Default field | ||
date_year | Splunk Default field | ||
date_zone | Splunk Default field | ||
Description | Specifies the description | String. Example: Gigabit Ethernet Port | Infoblox discovered devices related |
device_id | Specifies the device ID | Integer | Infoblox discovered devices related |
device_ip_address | Specifies the device IP address | IP address | Infoblox discovered devices related |
device_model | Specifies the device model | String. Example: catalyst37xxStack | Infoblox discovered devices related |
device_name | Specifies the device name | String. Example:DELL-PC8024F | Infoblox discovered devices related |
device_os_version | Specifies the device OS version | String. Example: 4.14.6M | Infoblox discovered devices related |
device_type | Specifies the device type | String. Example: Switch | Infoblox discovered devices related |
device_vendor | Specifies the device vendor | String. Example: Cisco | Infoblox discovered devices related |
device_version | Specifies the device version | String. Example: 5.1.2.3 | Infoblox discovered devices related dashboards/reports |
display_name | Specifies the DNS view | String | Infoblox discovered devices related dashboards/reports |
end_host_addl_info | Specifies additional information about the end host | String | Infoblox discovered devices related dashboards/reports |
end_host_device_model | Specifies the device model of the end host | String. Example: catalyst37xxStack | Infoblox discovered devices related dashboards/reports |
end_host_device_type | Specifies the device type of the end host | String. Example: Switch-Router | Infoblox discovered devices related dashboards/reports |
end_host_device_vendor | Specifies the device vendor of the end host | String. Example: Cisco | Infoblox discovered devices related dashboards/reports |
end_host_first_discovered | Specifies the first occasion when the end host was first discovered | Integer | Infoblox discovered devices related dashboards/reports |
end_host_ip_address | Specifies the IP address of the end host | IP address | Infoblox discovered devices related dashboards/reports |
end_host_last_discovered | Indicates when was end host last discovered | Integer | Infoblox discovered devices related dashboards/reports |
end_host_mac_address | Specifies the MAC address of the end host | MAC address | Infoblox discovered devices related dashboards/reports |
end_host_name | Specifies the name of the end host | String. Example: WS-C3750X-24P | Infoblox discovered devices related dashboards/reports |
end_host_network_view | Specifies the network view of the end host | String. Example: custom view | Infoblox discovered devices related dashboards/reports |
end_host_os_version | Specifies the version of the end host OS | String. Example: 15.2(1)E2 | Infoblox discovered devices related dashboards/reports |
eventtype | Splunk Default field | ||
firmware_rev | Indicates firmware revision | String. Example: 15.2(1)E2 | Infoblox discovered devices related dashboards/reports |
first_seen | First seen timestamp | Integer | Infoblox discovered devices related dashboards/reports |
hardware_rev | Specifies revision of the hardware | String. Example: V05 | Infoblox discovered devices related dashboards/reports |
host | Splunk Default field | ||
index | Splunk Default field | ||
interface_admin_status | Specifies the interface admin status | String. Example: up | Infoblox discovered devices related dashboards/reports |
interface_description | Specifies the interface interface description | String | Infoblox discovered devices related dashboards/reports |
interface_ip_address | Specifies the interface IP address | IP address | Infoblox discovered devices related dashboards/reports |
interface_name | Specifies the interface name | String. Example: Fa0 | Infoblox discovered devices related dashboards/reports |
interface_port_status | Specifies the interface port status | String. Example: up | Infoblox discovered devices related dashboards/reports |
interface_speed | Specifies the interface speed | Integer. Example: 1000000000 | Infoblox discovered devices related dashboards/reports |
interface_type | Specifies the interface type | String. Example: tunnel | Infoblox discovered devices related dashboards/reports |
interface_vlan | Specifies the interface VLAN ID | Integer Example: 16 | Infoblox discovered devices related dashboards/reports |
interface_vlan_name | Specifies the interface VLAN name | String. Example: VLAN1014 | Infoblox discovered devices related dashboards/reports |
ip_address | Specifies the IP address | IP address | Infoblox discovered devices related dashboards/reports |
is_trunk_port | Specifies if it is a trunk port or not | Boolean | Infoblox discovered devices related dashboards/reports |
last_seen | Specifies the last seen timestamp | Integer | Infoblox discovered devices related dashboards/reports |
linecount | Splunk Default field | ||
model | Specifies the model name | String. Example: DCS-7048T-A | Infoblox discovered devices related dashboards/reports |
network_view | Specifies the network view | String. Example: custom view | Infoblox discovered devices related dashboards/reports |
port_last_changed_at | The timestamp when the port was last changed | Timestamp | Infoblox discovered devices related dashboards/reports |
punct | Splunk Default field | ||
serial_number | Specifies the serial number | String. Example: JPE12440180 | Infoblox discovered devices related dashboards/reports |
software_rev | Specifies the software revision | String. Example: 15.2(1)E2 | Infoblox discovered devices related dashboards/reports |
source | Splunk Default field | ||
sourcetype | Splunk Default field | ||
splunk_server | Splunk Default field | ||
splunk_server_group | Splunk Default field | ||
switch_interface | Specifies the switch interface | String. Example: Gi0/47 | Infoblox discovered devices related dashboards/reports |
switch_ip_address | Specifies the switch IP Address | IP Address | Infoblox discovered devices related dashboards/reports |
switch_model | Indicates the switch model | String. Example: cat3560x48 | Infoblox discovered devices related dashboards/reports |
switch_name | Specifies the switch name | String. Example: ni-mri-sw4.inca.infoblox.com | Infoblox discovered devices related dashboards/reports |
switch_os_version | Specifies the OS version of the switch | String. Example: 12.2(53)SE2 | Infoblox discovered devices related dashboards/reports |
switch_type | Specifies the switch type | String. Example: Switch | Infoblox discovered devices related dashboards/reports |
switch_vendor | Specifies the vendor of the switch | String. Example: Cisco | Infoblox discovered devices related dashboards/reports |
switch_vlan | Specifies the switch VLAN | Integer. Example: 18 | Infoblox discovered devices related dashboards/reports |
timeendpos | Common Extracted Fields | ||
timestamp | Indicates the timestamp | Integer | Infoblox discovered devices related dashboards/reports |
timestamp_user_host_process_pid_info_prefix | Specifies the prefix | String | Infoblox discovered devices related dashboards/reports |
timestartpos | Common Extracted Fields | ||
user_id | Specifies the User ID | Infoblox discovered devices related dashboards/reports | |
View | Specifies the DNS view | String | Infoblox discovered devices related |
virtual_ind | Specifies the virtual indicator | Integer |
Infoblox Threat Protection Related Dashboards/Reports
Extracted Field Name | Description of the field | Values/Range | Source of Data |
ACOUNT | ACOUNT | Integer | Infoblox threat protection |
ACTIVE_COUNT | Specifies the active count | Integer | Infoblox threat protection |
ALERT_ID | Specifies the alert ID | Integer | Infoblox threat protection |
ALERT_TYPE | Specifies the alert type | String | Infoblox threat protection |
BLOCK_END | Specifies the block end IP address | Integer | Infoblox threat protection |
BLOCK_START | Specifies the block start IP address | Integer | Infoblox threat protection |
CATEGORY | Specifies the category | String. Example: OSPF | Infoblox threat protection |
CLIENT | Specifies the client | String | Infoblox threat protection |
COUNT | Specifies the count | Integer | Infoblox threat protection |
DCOUNT | Specifies the DCOUNT | Integer | Infoblox threat protection |
DNST_CATEGORY | Specifies the destination category | String | Infoblox threat protection |
DOMAIN_NAME | Specifies the domain name | String | Infoblox threat protection |
EA | Common Extracted Fields | ||
FIREEYE_APPLIANCE | Specifies the FireEye appliance | String | Infoblox threat protection |
HWTYPE | Common Extracted Fields | ||
LOG_SEVERITY | Specifies log severity | String | Infoblox threat protection |
MAX_DB_OBJECTS | Common Extracted Fields | ||
MAX_DHCP_LPS | Common Extracted Fields | ||
MAX_DNS_QPS | Common Extracted Fields | ||
MEMBER_IP | Common Extracted Fields | ||
MESSAGE | Specifies the message | String. Example: DROP OSPF unexpected | Infoblox threat protection |
MITIGATION_ACTION | Specifies the mitigation action | String | Infoblox threat protection |
NAT_STATUS | Specifies the NAT status | String | Infoblox threat protection |
RECORD_DATA | Specifies the record data | String | Infoblox threat protection |
RPZ_QNAME | Specifies the RPZ QNAME | String | Infoblox threat protection |
RULE_DESCRIPTION | Specifies the rule description | String. Example: This rule drops any unexpected OSPF packets when OSPF is disabled. | |
RULE_NAME | Specifies the rule name | String. Example: DROP OSPF unexpected | |
RULE_SID | Specifies the rule SID | Integer | Infoblox threat protection |
SEVERITY | Specifies the severity | String. Example: INFORMATIONAL | Infoblox threat protection |
SID | Specifies the SID | Integer | Infoblox threat protection |
SOURCE_IP | Specifies the source IP | IP address | Infoblox threat protection |
SOURCE_PORT | Specifies the source port | Integer | Infoblox threat protection |
TIMESTAMP | Indicates the timestamp | Timestamp | Infoblox threat protection |
TOTAL_COUNT | Specifies the total count | Integer | Infoblox threat protection |
VIEW | Specifies the DNS view | String | Infoblox threat protection |
date_hour | Splunk Default field | ||
date_mday | Splunk Default field | ||
date_minute | Splunk Default field | ||
date_month | Splunk Default field | ||
date_second | Splunk Default field | ||
date_wday | Splunk Default field | ||
date_year | Splunk Default field | ||
date_zone | Splunk Default field | ||
eventtype | Splunk Default field | ||
host | Splunk Default field | ||
index | Splunk Default field | ||
linecount | Splunk Default field | ||
punct | Splunk Default field | ||
source | Splunk Default field | ||
sourcetype | Splunk Default field | ||
splunk_server | Splunk Default field | ||
splunk_server_group | Splunk Default field | ||
timestartpos | Common extracted fields |
Infoblox DNS Traffic Control
Most of the fields in this index are extracted directly from the syslog_filtered.log file. Some of them are mentioned in the table below:
Extracted Field Name | Description of the field | Values/Range | Source of Data |
EA | Common Extracted Fields | ||
HWTYPE | Common Extracted Fields | ||
MAX_DB_OBJECTS | Common Extracted Fields | ||
MAX_DHCP_LPS | Common Extracted Fields | ||
MAX_DNS_QPS | Common Extracted Fields | ||
MEMBER_IP | Common Extracted Fields | ||
available | Specifies the available count | Integer | Infoblox DNS traffic control |
date_hour | Splunk Default field | ||
date_mday | Splunk Default field | ||
date_minute | Splunk Default field | ||
date_month | Splunk Default field | ||
date_second | Splunk Default field | ||
date_wday | Splunk Default field | ||
date_year | Splunk Default field | ||
date_zone | Splunk Default field | ||
eventtype | Splunk Default field | ||
host | Splunk Default field | ||
index | Splunk Default field | ||
linecount | Splunk Default field | ||
monitor | Specifies the DNS Traffic Control SNMP health monitor | String | Infoblox DNS traffic control |
pool | Specifies the pool | String | Infoblox DNS traffic control |
punct | Splunk Default field | ||
resource | Specifies the resource | String | Infoblox DNS traffic control |
response_count | Specifies the response count | Integer | Infoblox DNS traffic control |
source | Splunk Default field | ||
sourcetype | Splunk Default field | ||
splunk_server | Splunk Default field | ||
splunk_server_group | Splunk Default field | ||
timeendpos | Common Extracted Fields | ||
timestamp | Indicates the timestamp of the event | Example: 2017-02-04 03:45:53 | |
timestartpos | Common Extracted Fields | ||
unavailable | Specifies the unavailable count | Integer | Infoblox DNS traffic control |
Infoblox Cloud Related Dashboards/Reports
Extracted Field Name | Description of the field | Values/Range | Source of Data |
ACTION | Specifies the action | String. Example: Allocated | |
EA | Common Extracted Fields | ||
HWTYPE | Common Extracted Fields | ||
MAX_DB_OBJECTS | Common Extracted Fields | ||
MAX_DHCP_LPS | Common Extracted Fields | ||
MAX_DNS_QPS | Common Extracted Fields | ||
MEMBER_IP | Common Extracted Fields | ||
TENANT_NAME | Specifies the name of the tenant associated with the VM | String | |
action | Specifies the action count | Integer | Infoblox cloud related dashboards/reports |
address | Specifies the IP address | IP address | Infoblox cloud related dashboards/reports |
address_type | Specifies the type of address | Integer | Infoblox cloud related dashboards/reports |
application_type | Specifies the application type | Infoblox cloud related dashboards/reports | |
cidr | Specifies the CIDR | Example: 24 | Infoblox cloud related dashboards/reports |
cnames | Specifies the common name | String | Infoblox cloud related dashboards/reports |
date_hour | Splunk Default field | ||
date_mday | Splunk Default field | ||
date_minute | Splunk Default field | ||
date_month | Splunk Default field | ||
date_second | Splunk Default field | ||
date_wday | Splunk Default field | ||
date_year | Splunk Default field | ||
date_zone | Splunk Default field | ||
display_name | Specifies the DNS view | String | |
elastic_address | Specifies the elastic IP address | IP address | Infoblox cloud related dashboards/reports |
eventtype | Splunk Default field | ||
Fqdn | Specifies the FQDN | String | Infoblox cloud related dashboards/reports |
host | Splunk Default field | ||
index | Splunk Default field | ||
interface_name | Specifies the interface name | String | Infoblox cloud related dashboards/reports |
is_primary_ifc | Indicates if primary IFC or not | Example: 0 (not primary) | Infoblox cloud related dashboards/reports |
linecount | Splunk Default field | ||
location | Specifies the location | Infoblox cloud related dashboards/reports | |
mac_address | Specifies the MAC address | Example: 00:11:22:33:44:55 | Infoblox cloud related dashboards/reports |
mgmt_platform | Specifies management platform | Example: vm132ctest | Infoblox cloud related dashboards/reports |
network | Specifies the network address | Example: 10.0.0.0/8 | Infoblox cloud related dashboards/reports |
network_view | Specifies the network view | Example: default | Infoblox cloud related dashboards/reports |
port_id | Specifies the port ID | Integer | Infoblox cloud related dashboards/reports |
private_address | Specifies the private address | IP address | Infoblox cloud related dashboards/reports |
private_hostname | Specifies the private hostname | String | Infoblox cloud related dashboards/reports |
public_address | Specifies the public address | IP address | Infoblox cloud related dashboards/reports |
public_hostname | Specifies the public hostname | String | Infoblox cloud related dashboards/reports |
punct | Splunk Default field | ||
source | Splunk Default field | ||
sourcetype | Splunk Default field | ||
splunk_server | Splunk Default field | ||
splunk_server_group | Splunk Default field | ||
tenant_id | Specifies the tenant ID | Integer | Infoblox cloud related dashboards/reports |
timeendpos | Common Extracted Fields | ||
timestamp | Indicates the timestamp of the event | Example: 2017-02-04 03:45:53 | Infoblox cloud related dashboards/reports |
timestartpos | Common Extracted Fields | ||
view | Specifies the DNS view | String | |
vlan_id | Specifies the VLAN ID | Integer | Infoblox cloud related dashboards/reports |
vm_hostname | Specifies the hostname of the VM | String | Infoblox cloud related dashboards/reports |
vm_name | Specifies the name of the VM | Example: 99 | Infoblox cloud related dashboards/reports |
vm_vpc_address | Specifies the VPC address of the VM | IP address | Infoblox cloud related dashboards/reports |
vm_vpc_cidr | Specifies the VPC CIDR of the VM | Example: 24 | Infoblox cloud related dashboards/reports |
vm_vpc_id | Specifies the VPC ID of the VM | Integer | Infoblox cloud related dashboards/reports |
vm_vpc_name | Specifies the VPC name of the VM | Integer | Infoblox cloud related dashboards/reports |
vpc_addr | Specifies the VPC address | IP address | Infoblox cloud related dashboards/reports |
Infoblox Syslog
Most of the fields in this index are extracted directly from the syslog_filtered.log file. Some of them are mentioned in the table below:
Extracted Field Name | Description of the field | Values/Range | Source of Data |
BOOT_IMAGE | Example: /boot/bzImage | Infoblox syslog file | |
CPUs | Integer. Example: 8 | Infoblox syslog file | |
EA | Common Extracted Fields | ||
HWTYPE | Common Extracted Fields | ||
MAX_DB_OBJECTS | Common Extracted Fields | ||
MAX_DHCP_LPS | Common Extracted Fields | ||
MAX_DNS_QPS | Common Extracted Fields | ||
MEMBER_IP | Common Extracted Fields | ||
date_hour | Splunk Default field | ||
date_mday | Splunk Default field | ||
date_minute | Splunk Default field | ||
date_month | Splunk Default field | ||
date_second | Splunk Default field | ||
date_wday | Splunk Default field | ||
date_year | Splunk Default field | ||
date_zone | Splunk Default field | ||
eventtype | Splunk Default field | ||
group | Example: admin-group | Infoblox syslog file | |
hits | Integer | Infoblox syslog file | |
host | Splunk Default field | ||
index | Splunk Default field | ||
linecount | Splunk Default field | ||
misses | Integer | Infoblox syslog file | |
punct | Splunk Default field | ||
size | Integer | Infoblox syslog file | |
source | Splunk Default field | ||
sourcetype | Splunk Default field | ||
splunk_server | Splunk Default field | ||
splunk_server_group | Splunk Default field | ||
timeendpos | Common Extracted Fields | ||
timestartpos | Common Extracted Fields |
System Capacity
Extracted Field Name | Description of the field | Values/Range | Source of Data |
COUNT | Specifies the count | Integer | System capacity |
EA | Common Extracted Fields | ||
HWTYPE | Common Extracted Fields | ||
MAX_DB_OBJECTS | Common Extracted Fields | ||
MAX_DHCP_LPS | Common Extracted Fields | ||
MAX_DNS_QPS | Common Extracted Fields | ||
MEMBER_IP | Common Extracted Fields | ||
PERCENT | Specifies the percentage | Integer | System capacity |
date_hour | Splunk Default field | ||
date_mday | Splunk Default field | ||
date_minute | Splunk Default field | ||
date_month | Splunk Default field | ||
date_second | Splunk Default field | ||
date_wday | Splunk Default field | ||
date_year | Splunk Default field | ||
date_zone | Splunk Default field | ||
eventtype | Splunk Default field | ||
host | Splunk Default field | ||
index | Splunk Default field | ||
linecount | Splunk Default field | ||
punct | Splunk Default field | ||
source | Splunk Default field | ||
sourcetype | Splunk Default field | ||
splunk_server | Splunk Default field | ||
splunk_server_group | Splunk Default field | ||
timeendpos | Common Extracted Fields | ||
timestartpos | Common Extracted Fields |
Infoblox System Utilization (CPU, Memory, Network Traffic) Related Dashboards/Reports
Extracted Field Name | Description of the field | Values/Range | Source of Data |
CPU_PERCENT | Specifies the CPU percentage | Integer value within 0-100 | Infoblox system utilization |
EA | Common Extracted Fields | ||
HWTYPE | Common Extracted Fields | ||
MAX_DB_OBJECTS | Common Extracted Fields | ||
MAX_DHCP_LPS | Common Extracted Fields | ||
MAX_DNS_QPS | Common Extracted Fields | ||
MEMBER_IP | Common Extracted Fields | ||
MEMORY_PERCENT | Specifies the memory percentage | Integer. Value within 0-100 | Infoblox system utilization |
TRAF_VALUE | Specifies the traffic value | Integer | Infoblox system utilization |
date_hour | Splunk Default field | ||
date_mday | Splunk Default field | ||
date_minute | Splunk Default field | ||
date_month | Splunk Default field | ||
date_second | Splunk Default field | ||
date_wday | Splunk Default field | ||
date_year | Splunk Default field | ||
date_zone | Splunk Default field | ||
eventtype | Splunk Default field | ||
host | Splunk Default field | ||
index | Splunk Default field | ||
linecount | Splunk Default field | ||
punct | Splunk Default field | ||
source | Splunk Default field | ||
sourcetype | Splunk Default field | ||
splunk_server | Splunk Default field | ||
splunk_server_group | Splunk Default field | ||
sys_report_id | Specifies the report ID based on whether inbound or outbound | Integer | Infoblox system utilization |
timeendpos | Common Extracted Fields | ||
timestartpos | Common Extracted Fields |
Infoblox Ecosystem Subscription
Extracted Field Name | Description of the field | Values/Range | Source of Data |
EA | Common Extracted Fields | ||
HWTYPE | Common Extracted Fields | ||
MAX_DB_OBJECTS | Common Extracted Fields | ||
MAX_DHCP_LPS | Common Extracted Fields | ||
MAX_DNS_QPS | Common Extracted Fields | ||
MEMBER_IP | Common Extracted Fields | ||
cisco_ise_endpoint_profile | Specifies the Cisco ISE endpoint profile | String | Infoblox ecosystem subscription |
cisco_ise_security_group | Specifies the Cisco ISE security group | Infoblox ecosystem subscription | |
cisco_ise_session_state | Specifies the Cisco ISE session state | String. Example: STARTED | Infoblox ecosystem subscription |
cisco_ise_ssid | Specifies the Cisco ISE SSID | String | Infoblox ecosystem subscription |
date_hour | Splunk Default field | ||
date_mday | Splunk Default field | ||
date_minute | Splunk Default field | ||
date_month | Splunk Default field | ||
date_second | Splunk Default field | ||
date_wday | Splunk Default field | ||
date_year | Splunk Default field | ||
date_zone | Splunk Default field | ||
domainname | Specifies the domain name | String | Infoblox ecosystem subscription |
ea_eps_status | Specifies the EPS status of the extensible attribute | String | Infoblox ecosystem subscription |
eventtype | Splunk Default field | ||
guid | Specifies the GUID | String | Infoblox ecosystem subscription |
host | Splunk Default field | ||
index | Splunk Default field | ||
ip_address | Specifies the IP address | IP address | Infoblox ecosystem subscription |
last_discovered_timestamp | Specifies the last discovered timestamp | Integer | Infoblox ecosystem subscription |
linecount | Splunk Default field | ||
port_vlan_name | Specifies the VLAN name of the port | String | Infoblox ecosystem subscription |
port_vlan_number | Specifies the VLAN number of the port | Integer | Infoblox ecosystem subscription |
punct | Splunk Default field | ||
source | Splunk Default field | ||
sourcetype | Splunk Default field | ||
splunk_server | Splunk Default field | ||
splunk_server_group | Splunk Default field | ||
timeendpos | Common Extracted Fields | ||
timestamp | Specifies the timestamp of the event | Example: 2017-02-04 03:45:53 | Infoblox ecosystem subscription |
timestartpos | Common Extracted Fields | ||
username | Specifies the username | String | Infoblox ecosystem subscription |
Infoblox Ecosystem Publication
Extracted Field Name | Description of the field | Values/Range | Source of Data |
EA | Common Extracted Fields | ||
HWTYPE | Common Extracted Fields | ||
MAX_DB_OBJECTS | Common Extracted Fields | ||
MAX_DHCP_LPS | Common Extracted Fields | ||
MAX_DNS_QPS | Common Extracted Fields | ||
MEMBER_IP | Common Extracted Fields | ||
contents | Specifies the content | String. Example: {'LEASE_STATE': 'STARTED', 'Lease_Start_Time': '2017-03-01T07:00:00Z', 'MAC_OR_DUID': '80:3c:3e:29:84:cc', 'Fingerprint': 'No Match', 'Lease_End_Time': '2017-03-01T07:02:00Z', 'IPAddress': '10.0.0.20', 'Infoblox_Member': '10.35.205.6'} | Infoblox ecosystem publication |
date_hour | Splunk Default field | ||
date_mday | Splunk Default field | ||
date_minute | Splunk Default field | ||
date_month | Splunk Default field | ||
date_second | Splunk Default field | ||
date_wday | Splunk Default field | ||
date_year | Splunk Default field | ||
date_zone | Splunk Default field | ||
eventtype | Splunk Default field | ||
host | Splunk Default field | ||
index | Splunk Default field | ||
ip_address | Specifies the IP address | IP address | Infoblox ecosystem publication |
linecount | Splunk Default field | ||
notification_action | Specifies the notification action | Example: CISCOISE_PUBLISH_IPAM | Infoblox ecosystem publication |
notification_target | Specifies the notification target | IP address | Infoblox ecosystem publication |
punct | Splunk Default field | ||
source | Splunk Default field | ||
sourcetype | Splunk Default field | ||
splunk_server | Splunk Default field | ||
splunk_server_group | Splunk Default field | ||
timeendpos | Common Extracted Fields | ||
timestamp | Specifies the timestamp of the event | Example: 2017-02-04 03:45:53 | Infoblox ecosystem publication |
timestartpos | Common Extracted Fields |
Reporting License Usage
Extracted Field Name | Description of the field | Values/Range | Source of Data |
EA | Common Extracted Fields | ||
HWTYPE | Common Extracted Fields | ||
MAX_DB_OBJECTS | Common Extracted Fields | ||
MAX_DHCP_LPS | Common Extracted Fields | ||
MAX_DNS_QPS | Common Extracted Fields | ||
MEMBER_IP | Common Extracted Fields | ||
date_hour | Splunk Default field | ||
date_mday | Splunk Default field | ||
date_minute | Splunk Default field | ||
date_month | Splunk Default field | ||
date_second | Splunk Default field | ||
date_wday | Splunk Default field | ||
date_year | Splunk Default field | ||
date_zone | Splunk Default field | ||
display_name | Specifies the DNS view | String | |
eventtype | Splunk Default field | ||
host | Splunk Default field | ||
index | Splunk Default field | ||
license_count | Specifies the license count | Integer | Reporting license usage |
license_pool | Specifies the license pool | String. Example: cloud_api.0 | Reporting license usage |
linecount | Splunk Default field | ||
punct | Splunk Default field | ||
source | Splunk Default field | ||
sourcetype | Splunk Default field | ||
splunk_server | Splunk Default field | ||
splunk_server_group | Splunk Default field | ||
timeendpos | Common Extracted Fields | ||
timestamp | Indicates the timestamp | Timestamp | Reporting license usage |
timestartpos | Common Extracted Fields | ||
utilization | Specifies the utilization | Integer | Reporting license usage |
view | Specifies the DNS view | String |
Summary Indexes
Summary Indexes Frequency
The field frequencies of all fields for each summary index are as mentioned below:
Summary Index | Report | Frequency | Cron Schedule | Earliest | Latest |
ib_dns_summary | si_dns_reclaimed_object_count_trend | At every 30th minute from 21 through 59 | 21-59/30 * * * * | 30m@m | 60m@m |
si_dns_top_clients | At every 30th minute from 2 through 59 | 2-59/30 * * * * | 30m@m | 60m@m | |
si_dns_query_reply | At every 30th minute from 18 through 59 | 18-59/30 * * * * | 30m@m | 60m@m | |
si_top_servfail_received_queries | At every 30th minute from 7 through 59 | 7-59/30 * * * * | 30m@m | 60m@m | |
si_dns_response_latency_trend | At every 30th minute from 20 through 59 | 20-59/30 * * * * | 30m@m | 60m@m | |
si_dns_member_qps_trend_per_hour | At minute 34 | 34 * * * * | @h | -1h@h | |
si_top_nxdomain_query | At every 30th minute from 5 through 59 | 5-59/30 * * * * | 30m@m | 60m@m | |
si_dns_member_qps_trend_per_day | Every day 32 minutes past midnight | 32 0 * * * | @d | -1d@d | |
si_dns_member_qps_trend | At every 30th minute from 12 through 59 | 12-59/30 * * * * | 30m@m | 60m@m | |
si_dns_requested_domain | At every 30th minute from 4 through 59 | 4-59/30 * * * * | 30m@m | 60m@m | |
si_dns_qps_trend | At every 30th minute from 10 through 59 | 10-59/30 * * * * | 30m@m | 60m@m | |
si_top_servfail_sent_queries | At every 30th minute from 6 through 59 | 6-59/30 * * * * | 30m@m | 60m@m | |
si_ddns_update | At every 30th minute from 6 through 59 | 6-59/30 * * * * | 30m@m | 60m@m | |
si_dns_cache_hit_ratio | At every 30th minute from 8 through 59 | 8-59/30 * * * * | 30m@m | 60m@m | |
si_top_timeout_queries | At every 30th minute from 8 through 59 | 8-59/30 * * * * | 30m@m | 60m@m | |
si_dns_rpz_hits | At every 10th minute from 2 through 59 | 2-59/10 * * * * | 10m@m | 20m@m | |
si_top_clients_per_domain | At every 30th minute from 3 through 59 | 3-59/30 * * * * | 30m@m | 60m@m | |
ib_dhcp_summary | si_dhcp_message | At every 30th minute from 14 through 59 | 14-59/30 * * * * | 30m@m | 60m@m |
si_dhcp_usage_trend | At 22 minutes past every 8th hour | 22 */8 * * * | 15m@m | 495m@m | |
si_dhcp_top_lease_client | At every 30th minute from 16 through 59 | 16-59/30 * * * * | 30m@m | 60m@m | |
si_devices_denied_an_ip_address | At every 30th minute from 19 through 59 | 19-59/30 * * * * | 30m@m | 60m@m | |
si_dhcp_range_utilization_trend | At 24 minutes past every 8th hour | 24 */8 * * * | 15m@m | 495m@m | |
si_dhcp_top_os_by_network | At every 30th minute from 16 through 59 | 16-59/30 * * * * | 30m@m | 60m@m | |
ib_dtc_summary | si_dtc_response_distribution | At 37 minutes past every 6th hour | 37 */6 * * * | 10m@m | 370m@m |
si_adns_resource_pool_availability | At 23 minutes past every 6th hour | 23 */6 * * * | 10m@m | 370m@m | |
si_smart_dns_resource_snmp | At 47 minutes past every 6th hour | 47 */6 * * * | 10m@m | 370m@m | |
si_smart_dns_resource_availability | At 47 minutes past every 6th hour | 47 */6 * * * | 10m@m | 370m@m | |
ib_system_summary | si_index_disk_usage | At 37 minutes past every 6th hour | 37 */6 * * * | 10m@m | 370m@m |
si_memory_utilization | At every 30th minute from 26 through 59 | 26-59/30 * * * * | 30m@m | 60m@m | |
si_traffic_rate | At every 30th minute from 28 through 59 | 28-59/30 * * * * | 30m@m | 60m@m | |
si_cpu_usage | At every 30th minute | */30 * * * * | 30m@m | 60m@m | |
ib_security_summary | si_dns_tunneling_activity | At every 3030th th minute from 11 through 59 | 11-59/30 * * * * | 30m@m | 60m@m |
Note:
cron schedule - cron time scheduled to execute a search
earliest time - specifies the earliest time for a search
latest time - specifies the latest time for a saved search
Common fields in summary indexes
Splunk server adds the following fields to every event in each summary index.
Field Name | Description of the field | Values/Range | Remarks |
info_max_time | The info_* fields are added to each event when you use the addinfo command. This command is primarily an internally-used component of Summary Indexing. Click here for more information. | Integer | Splunk added special field |
info_min_time | Specifies the earliest time boundary for search | Integer | Splunk added special field |
info_search_time | Specifies the time when search was initiated | Integer | Splunk added special field |
search_name | Specifies the name of the saved search | Example: si-search-dns-query-reply | Splunk added special field |
search_now | Specifies the time when search was scheduled to run | Integer | Splunk added special field |
Infoblox DNS Summary
Note: *psrsvd* stands for *prestats reserved{*}. Syntax is psrsvd_\[type\]_\[fieldname\]. These special fields are added by Splunk to summary index data that begins with *psrsvd* when you initiate search using the *si** command to populate a summary index. See List of available psrsvd types from Splunk docs.
Extracted Field Name | Description of the field | Reports | Values/Range | Source of Data | Remarks |
CLIENT | Specifies the IP address of the DNS client | Example: 10.39.18.60 | |||
COUNT | Specifies the count of DNS queries | si_dns_top_clients | Integer | ||
Specifies the count of SERVFAIL errors that are received for DNS clients | si_top_servfail_received_queries | Integer | |||
Specifies the count of NXDOMAIN/NOERROR replies for DNS clients | si_top_nxdomain_query | Integer | |||
Specifies the count of DNS domain name requests | si_dns_requested_domain | Integer | |||
Specifies the count of DNS queries per second | si_dns_qps_trend | Integer | |||
Specifies the count of DNS SERVFAIL errors that are sent for DNS queries | si_top_servfail_sent_queries | Integer | |||
Specifies the count of DNS timed-out recursive queries | si_top_timeout_queries | Integer | |||
Specifies the average count of DNS RPX hits | si_dns_rpz_hits | Integer | |||
Specifies the count of DNS clients per domain | si_top_clients_per_domain | Integer | |||
EA | Common Extracted Fields | ||||
FQDN | Specifies the fully qualified domain name | si_dns_requested_domain and | Example: 213.31.102.10.in-addr.arpa | ||
HWTYPE | Common Extracted Fields | ||||
MAX_DB_OBJECTS | Common Extracted Fields | ||||
MAX_DHCP_LPS | Common Extracted Fields | ||||
MAX_DNS_QPS | Common Extracted Fields | ||||
MEMBER | Specifies the member | String | Infoblox DNS Summary | ||
MEMBER_IP | Common Extracted Fields | ||||
TLD | Specifies top level domain names | si_dns_requested_domain | Example: arpa | ||
TYPE | Specifies the DNS response type | si_dns_query_reply, | SUCCESS/NOERROR OR | ||
VIEW | It refers to the DNS view key to map DNS view through lookup. See display_name field. | si_dns_requested_domain, | Example: _default | ||
date_hour | Splunk Default field | ||||
date_mday | Splunk Default field | ||||
date_minute | Splunk Default field | ||||
date_month | Splunk Default field | ||||
date_second | Splunk Default field | ||||
date_wday | Splunk Default field | ||||
date_year | Splunk Default field | ||||
date_zone | SplunkReporting Data Model | ||||
display_name | Specifies the DNS view | si_dns_requested_domain, | Example: default.MS-2016 | ||
eventtype | Splunk Default field | ||||
host | Splunk Default field | ||||
index | Splunk Default field | ||||
info_max_time | Common summary index fields | ||||
info_min_time | Common summary index fields | ||||
info_search_time | Common summary index fields | ||||
linecount | Splunk Default field | ||||
orig_host | Specifies the host name of the data source | Example: infoblox.com | Splunk added default field | ||
psrsvd_ct_COUNT | Here, ct = count. It contains the count information for the COUNT field. | si_dns_query_reply and si_dns_qps_trend | Splunk added special field | ||
psrsvd_ct_LATENCY | Contains the count information for the LATENCY field | si_dns_response_latency_trend | Splunk added special field | ||
psrsvd_ct_QCOUNT | Contains the count information for the QCOUNT field | si_dns_member_qps_trend_per_hour, | Splunk added special field | ||
psrsvd_gc | Here, gc = group count. It indicates the count for stats grouping and it is not scoped to a single field. | si_dns_query_reply, | Splunk added special field | ||
psrsvd_nc_COUNT | Here, nc = numerical count. It indicates the number of numerical values and contains the numerical count information for the COUNT field. | si_dns_query_reply and | Splunk added special field | ||
psrsvd_nc_LATENCY | Contains the numerical count information for the LATENCY field | si_dns_response_latency_trend | Splunk added special field | ||
psrsvd_nc_QCOUNT | Contains the numerical count information for the QCOUNT field | si_dns_member_qps_trend_per_hour, | Splunk added special field | ||
psrsvd_nx_QCOUNT | Here, nx = maximum numerical value. It contains the maximum numerical value information for the QCOUNT field. | si_dns_member_qps_trend_per_hour and | Splunk added special field | ||
psrsvd_sm_COUNT | Here, sm = sum. It contains the sum information for the COUNT field. | si_dns_query_reply and | Splunk added special field | ||
psrsvd_sm_LATENCY | Contains the sum information for the LATENCY field. | si_dns_response_latency_trend | Splunk added special field | ||
psrsvd_sm_QCOUNT | Contains the sum information for the QCOUNT field | si_dns_member_qps_trend_per_hour, | Splunk added special field | ||
psrsvd_sx_QCOUNT | Here, sx = maximum lexicographical value. | si_dns_member_qps_trend_per_hour | Splunk added special field | ||
psrsvd_v | Here, v = version. This is not scoped to a single field. | si_dns_query_reply, | Splunk added special field | ||
psrsvd_vt_COUNT | Here, vt = value type. It contains precision of the associated field. | si_dns_query_reply and | Splunk added special field | ||
psrsvd_vt_LATENCY | Contains precision of the LATENCY field | si_dns_response_latency_trend | Splunk added special field | ||
psrsvd_vt_QCOUNT | Contains precision of the QCOUNT field | si_dns_member_qps_trend_per_hour, | Splunk added special field | ||
report | Contains the name of the report that populates the summary index | ||||
DNS Scavenge Object Count Trend data | si_dns_reclaimed_object_count_trend | ||||
DNS Top Clients report data | si_dns_top_clients | ||||
DNS Replies Trend data | si_dns_query_reply | ||||
DNS Top SERVFAIL Errors Received Report data | si_top_servfail_received_queries | ||||
DNS Response Latency Trend data | si_dns_response_latency_trend | ||||
DNS Daily Peak Hour Query Rate by Member Report data | si_dns_member_qps_trend_per_hour | ||||
DNS Top NXDOMAIN / NOERROR (no data) Report data | si_top_nxdomain_query | ||||
DNS Daily Query Rate by Member Report data | si_dns_member_qps_trend_per_day | ||||
DNS Query Rate by Member Report data | si_dns_member_qps_trend | ||||
DNS Top Requested Domain Names Report data | si_dns_requested_domain | ||||
DNS Queries Per Second Trend data | si_dns_qps_trend | ||||
DNS Top SERVFAIL Errors Sent Report data | si_top_servfail_sent_queries | ||||
DDNS Update Rate Trend data | si_ddns_update | ||||
DNS Cache Hit Rate Trend data | si_dns_cache_hit_ratio | ||||
DNS Top Timed-Out Recursive Queries Report data | si_top_timeout_queries | ||||
DNS RPZ Hits Reports data | si_dns_rpz_hits | ||||
DNS Top Clients per Domain Report data | si_top_clients_per_domain | ||||
search_name | Common summary index fields | ||||
search_now | Common summary index fields | ||||
source | Splunk Default field | ||||
sourcetype | Splunk Default field | ||||
splunk_server | Splunk Default field | ||||
splunk_server_group | Splunk Default field | ||||
timeendpos | Common Extracted Fields | ||||
timestartpos | Common Extracted Fields |
Infoblox DHCP Summary
Extracted Field Name | Description of the field | Reports | Values/Range | Source of Data | Remarks |
ACTION | Specifies the action | String. Example: Issued | Infoblox DHCP summary | ||
DEVICE_CLASS | Specifies the device class | String. Example: Linux | |||
DHCP_RANGE | Specifies the DHCP range | Network range. Example: 10.0.0.1-10.0.0.200 | |||
EA | Common Extracted fields | ||||
FP | Specifies the fingerprint data | String. Example: No Match | Infoblox DHCP summary | ||
HWTYPE | Common Extracted Fields | ||||
LEASED_IP | Specifies the lease IP address | IP address | Infoblox DHCP summary | ||
MAC_DUID | Specifies the MAC address | MAC address | Infoblox DHCP summary | ||
MAX_DB_OBJECTS | Common Extracted Fields | ||||
MAX_DHCP_LPS | Common Extracted Fields | ||||
MAX_DNS_QPS | Common Extracted Fields | ||||
MEMBER_IP | Common Extracted Fields | ||||
Protocol | Specifies the DHCP protocol | String. Example: IPV4 | Infoblox DHCP summary | ||
SFP | Specifies the SFP | String. Example: Ubuntu/Debian 5/Knoppix 6 | |||
VIEW | It refers to the DNS view key to map the DNS view through lookup. See display_name field | String | |||
date_hour | Splunk Default field | ||||
date_mday | Splunk Default field | ||||
date_minute | Splunk Default field | ||||
date_month | Splunk Default field | ||||
date_second | Splunk Default field | ||||
date_wday | Splunk Default field | ||||
date_year | Splunk Default field | ||||
date_zone | Splunk Default field | ||||
dhcp_utilization_status | Specifies the DHCP utilization status | String | Infoblox DHCP summary | ||
display_name | Specifies the DNS view | String | |||
end_address | Specifies the end IP address | IP address | Infoblox DHCP summary | ||
eventtype | Splunk Default field | ||||
host | Splunk Default field | ||||
index | Splunk Default field | ||||
info_max_time | Common summary index fields | ||||
info_min_time | Common summary index fields | ||||
info_search_time | Common summary index fields | ||||
linecount | Splunk Default field | ||||
members | Specifies the DHCP member | String. Example: infoblox.localdomain | Infoblox DHCP summary | ||
ms_servers | Specifies the MS servers | IP address | Infoblox DHCP summary | ||
orig_host | Specifies the host name of the data source | Example: infoblox.com | Splunk added default field | ||
psrsvd_ct_FREE_ | Specifies the count information for FREE_ADDRESSES field | si_dhcp_usage_trend | Splunk added special field | ||
psrsvd_ct_dhcp_utilization | Specifies the count for dhcp_utilization field | si_dhcp_range_utilization | Splunk added special field | ||
psrsvd_ct_dynamic_hosts | Specifies the count for dynamic_hosts field | si_dhcp_usage_trend | Splunk added special field | ||
psrsvd_ct_static_hosts | Specifies the count for static_hosts field | si_dhcp_usage_trend | Splunk added special field | ||
psrsvd_ct_v4ack | Specifies the count for v4ack field | si-search-dhcp-message | Splunk added special field | ||
psrsvd_ct_v4decline | Specifies the count for v4decline field | si-search-dhcp-message | Splunk added special field | ||
psrsvd_ct_v4discover | Specifies the count for v4discover field | si-search-dhcp-message | Splunk added special field | ||
psrsvd_ct_v4inform | Specifies the count for v4inform field | si-search-dhcp-message | Splunk added special field | ||
psrsvd_ct_v4leaseactive | Specifies the count for v4leaseactive field | si-search-dhcp-message | Splunk added special field | ||
psrsvd_ct_v4leasequery | Specifies the count for v4leasequery field | si-search-dhcp-message | Splunk added special field | ||
psrsvd_ct_v4leaseunassigned | Specifies the count for v4leaseunassigned field | si-search-dhcp-message | Splunk added special field | ||
psrsvd_ct_v4leaseunknown | Specifies the count for v4leaseunknown field | si-search-dhcp-message | Splunk added special field | ||
psrsvd_ct_v4nak | Specifies the count for | si-search-dhcp-message | Splunk added special field | ||
psrsvd_ct_v4offer | Specifies the count for v4offer field | si-search-dhcp-message | Splunk added special field | ||
psrsvd_ct_v4release | Specifies the count for v4release field | si-search-dhcp-message | Splunk added special field | ||
psrsvd_ct_v4request | Specifies the count for v4request field | si-search-dhcp-message | Splunk added special field | ||
psrsvd_ct_v6advertise | Specifies the count for v6advertise field | si-search-dhcp-message | Splunk added special field | ||
psrsvd_ct_v6confirm | Specifies the count for v6confirm field | si-search-dhcp-message | Splunk added special field | ||
psrsvd_ct_v6decline | Specifies the count for v6decline field | si-search-dhcp-message | Splunk added special field | ||
psrsvd_ct_v6information_ | Specifies the count for v6information_request field | si-search-dhcp-message | Splunk added special field | ||
psrsvd_ct_v6leasequery | Specifies the count for v6leasequery field | si-search-dhcp-message | Splunk added special field | ||
psrsvd_ct_v6leasequery_ | Specifies the count for v6leasequery_reply field | si-search-dhcp-message | Splunk added special field | ||
psrsvd_ct_v6rebind | Specifies the count for v6rebind field | si-search-dhcp-message | Splunk added special field | ||
psrsvd_ct_v6reconfigure | Specifies the count for v6reconfigure field | si-search-dhcp-message | Splunk added special field | ||
psrsvd_ct_v6relay_forward | Specifies the count for v6relay_forward field | si-search-dhcp-message | Splunk added special field | ||
psrsvd_ct_v6relay_reply | Specifies the count for v6relay_reply field | si-search-dhcp-message | Splunk added special field | ||
psrsvd_ct_v6release | Specifies the count for v6release field | si-search-dhcp-message | Splunk added special field | ||
psrsvd_ct_v6renew | Specifies the count for v6renew field | si-search-dhcp-message | Splunk added special field | ||
psrsvd_ct_v6reply | Specifies the count for v6reply field | si-search-dhcp-message | Splunk added special field | ||
psrsvd_ct_v6request | Specifies the count for v6request field | si-search-dhcp-message | Splunk added special field | ||
psrsvd_ct_v6solicit | Specifies the count for v6solicit field | si-search-dhcp-message | Splunk added special field | ||
psrsvd_gc | Here, gc = group count. The count for stats grouping and not scoped to a single field. | Splunk added special field | |||
psrsvd_nc_FREE_ | Specifies the numerical count for FREE_ADDRESSES field | si_dhcp_usage_trend | Splunk added special field | ||
psrsvd_nc_dhcp_utilization | Specifies the numerical count for dhcp_utilization field | si_dhcp_range_utilization_trend | Splunk added special field | ||
psrsvd_nc_dynamic_hosts | Specifies the numerical count for dynamic_hosts field | si_dhcp_usage_trend | Splunk added special field | ||
psrsvd_nc_static_hosts | Specifies the numerical count for static_hosts field | si_dhcp_usage_trend | Splunk added special field | ||
psrsvd_nc_v4ack | Specifies the numerical count for v4ack field | si-search-dhcp-message | Splunk added special field | ||
psrsvd_nc_v4decline | Specifies the numerical count for v4decline field | si-search-dhcp-message | Splunk added special field | ||
psrsvd_nc_v4discover | Specifies the numerical count for v4discover field | si-search-dhcp-message | Splunk added special field | ||
psrsvd_nc_v4inform | Specifies the numerical count for v4inform field | si-search-dhcp-message | Splunk added special field | ||
psrsvd_nc_v4leaseactive | Specifies the numerical count for v4leaseactive field | si-search-dhcp-message | Splunk added special field | ||
psrsvd_nc_v4leasequery | Specifies the numerical count for v4leasequery field | si-search-dhcp-message | Splunk added special field | ||
psrsvd_nc_v4leaseunassigned | Specifies the numerical count for v4leaseunassigned field | si-search-dhcp-message | Splunk added special field | ||
psrsvd_nc_v4leaseunknown | Specifies the numerical count for v4leaseunknown field | si-search-dhcp-message | Splunk added special field | ||
psrsvd_nc_v4nak | Specifies the numerical count for v4nak field | si-search-dhcp-message | Splunk added special field | ||
psrsvd_nc_v4offer | Specifies the numerical count for v4offer field | si-search-dhcp-message | Splunk added special field | ||
psrsvd_nc_v4release | Specifies the numerical count for v4release field | si-search-dhcp-message | Splunk added special field | ||
psrsvd_nc_v4request | Specifies the numerical count for v4request field | si-search-dhcp-message | Splunk added special field | ||
psrsvd_nc_v6advertise | Specifies the numerical count for v6advertise field | si-search-dhcp-message | Splunk added special field | ||
psrsvd_nc_v6confirm | Specifies the numerical count for v6confirm field | si-search-dhcp-message | Splunk added special field | ||
psrsvd_nc_v6decline | Specifies the numerical count for v6decline field | si-search-dhcp-message | Splunk added special field | ||
psrsvd_nc_v6information_ | Specifies the numerical count for v6information_request field | si-search-dhcp-message | Splunk added special field | ||
psrsvd_nc_v6leasequery | Specifies the numerical count for v6leasequery field | si-search-dhcp-message | Splunk added special field | ||
psrsvd_nc_v6leasequery_reply | Specifies the numerical count for v6leasequery_reply field | si-search-dhcp-message | Splunk added special field | ||
psrsvd_nc_v6rebind | Specifies the numerical count for v6rebind field | si-search-dhcp-message | Splunk added special field | ||
psrsvd_nc_v6reconfigure | Specifies the numerical count for v6reconfigure field | si-search-dhcp-message | Splunk added special field | ||
psrsvd_nc_v6relay_forward | Specifies the numerical count for v6relay_forward field | si-search-dhcp-message | Splunk added special field | ||
psrsvd_nc_v6relay_reply | Specifies the numerical count for v6relay_reply field | si-search-dhcp-message | Splunk added special field | ||
psrsvd_nc_v6release | Specifies the numerical count for v6release field | si-search-dhcp-message | Splunk added special field | ||
psrsvd_nc_v6renew | Specifies the numerical count for v6renew field | si-search-dhcp-message | Splunk added special field | ||
psrsvd_nc_v6reply | Specifies the numerical count for v6reply field | si-search-dhcp-message | Splunk added special field | ||
psrsvd_nc_v6request | Specifies the numerical count for v6request field | si-search-dhcp-message | Splunk added special field | ||
psrsvd_nc_v6solicit | Specifies the numerical count for v6solicit field | si-search-dhcp-message | Splunk added special field | ||
psrsvd_sm_FREE_ | Specifies the sum for FREE_ADDRESSES field | si_dhcp_usage_trend | Splunk added special field | ||
psrsvd_sm_dhcp_utilization | Specifies the sum for dhcp_utilization field | si_dhcp_range_utilization_trend | Splunk added special field | ||
psrsvd_sm_dynamic_hosts | Specifies the sum for dynamic_hosts field | si_dhcp_usage_trend | Splunk added special field | ||
psrsvd_sm_static_hosts | Specifies the sum for static_hosts field | si_dhcp_usage_trend | Splunk added special field | ||
psrsvd_sm_v4ack | Specifies the sum for v4ack field | si-search-dhcp-message | Splunk added special field | ||
psrsvd_sm_v4decline | Specifies the sum for v4decline field | si-search-dhcp-message | Splunk added special field | ||
psrsvd_sm_v4discover | Specifies the sum for v4discover field | si-search-dhcp-message | Splunk added special field | ||
psrsvd_sm_v4inform | Specifies the sum for v4inform field | si-search-dhcp-message | Splunk added special field | ||
psrsvd_sm_v4leaseactive | Specifies the sum for v4leaseactive field | si-search-dhcp-message | Splunk added special field | ||
psrsvd_sm_v4leasequery | Specifies the sum for v4leasequery field | si-search-dhcp-message | Splunk added special field | ||
psrsvd_sm_v4leaseunassigned | Specifies the sum for v4leaseunassigned field | si-search-dhcp-message | Splunk added special field | ||
psrsvd_sm_v4leaseunknown | Specifies the sum for v4leaseunknown field | si-search-dhcp-message | Splunk added special field | ||
psrsvd_sm_v4nak | Specifies the sum for v4nak field | si-search-dhcp-message | Splunk added special field | ||
psrsvd_sm_v4offer | Specifies the sum for v4offer field | si-search-dhcp-message | Splunk added special field | ||
psrsvd_sm_v4release | Specifies the sum for v4release field | si-search-dhcp-message | Splunk added special field | ||
psrsvd_sm_v4request | Specifies the sum for v4request field | si-search-dhcp-message | Splunk added special field | ||
psrsvd_sm_v6advertise | Specifies the sum for v6advertise field | si-search-dhcp-message | Splunk added special field | ||
psrsvd_sm_v6confirm | Specifies the sum for v6confirm field | si-search-dhcp-message | Splunk added special field | ||
psrsvd_sm_v6decline | Specifies the sum for v6decline field | si-search-dhcp-message | Splunk added special field | ||
psrsvd_sm_v6information_ | Specifies the sum for v6information_request field | si-search-dhcp-message | Splunk added special field | ||
psrsvd_sm_v6leasequery | Specifies the sum for v6leasequery field | si-search-dhcp-message | Splunk added special field | ||
psrsvd_sm_v6leasequery_reply | Specifies the sum for v6leasequery_reply field | si-search-dhcp-message | Splunk added special field | ||
psrsvd_sm_v6rebind | Specifies the sum for v6rebind field | si-search-dhcp-message | Splunk added special field | ||
psrsvd_sm_v6reconfigure | Specifies the sum for v6reconfigure field | si-search-dhcp-message | Splunk added special field | ||
psrsvd_sm_v6relay_forward | Specifies the sum for v6relay_forward field | si-search-dhcp-message | Splunk added special field | ||
psrsvd_sm_v6relay_reply | Specifies the sum for v6relay_reply field | si-search-dhcp-message | Splunk added special field | ||
psrsvd_sm_v6release | Specifies th sum for v6release field | si-search-dhcp-message | Splunk added special field | ||
psrsvd_sm_v6renew | Specifies the sum for v6renew field | si-search-dhcp-message | Splunk added special field | ||
psrsvd_sm_v6reply | Specifies the sum for v6reply field | si-search-dhcp-message | Splunk added special field | ||
psrsvd_sm_v6request | Specifies the sum for v6request field | si-search-dhcp-message | Splunk added special field | ||
psrsvd_sm_v6solicit | Specifies the sum for v6solicit field | si-search-dhcp-message | Splunk added special field | ||
psrsvd_v | Here, v = version. This is not scoped to a single field. | si_dhcp_usage_trend, | Splunk added special field | ||
psrsvd_vt_FREE_ADDRESSES | Contains precision of the FREE_ADDRESSES field | si_dhcp_usage_trend | Splunk added special field | ||
psrsvd_vt_dhcp_utilization | Contains precision of the dhcp_utilization field | si_dhcp_range_utilization_trend | Splunk added special field | ||
psrsvd_vt_dynamic_hosts | Contains precision of the dynamic_hosts field | si_dhcp_usage_trend | Splunk added special field | ||
psrsvd_vt_static_hosts | Contains precision of the static_hosts field | si_dhcp_usage_trend | Splunk added special field | ||
psrsvd_vt_v4ack | Contains precision of the v4ack field | si-search-dhcp-message | Splunk added special field | ||
psrsvd_vt_v4decline | Contains precision of the v4decline field | si-search-dhcp-message | Splunk added special field | ||
psrsvd_vt_v4discover | Contains precision of the v4discover field | si-search-dhcp-message | Splunk added special field | ||
psrsvd_vt_v4inform | Contains precision of the v4inform field | si-search-dhcp-message | Splunk added special field | ||
psrsvd_vt_v4leaseactive | Contains precision of the v4leaseactive field | si-search-dhcp-message | Splunk added special field | ||
psrsvd_vt_v4leasequery | Contains precision of the v4leasequery field | si-search-dhcp-message | Splunk added special field | ||
psrsvd_vt_v4leaseunassigned | Contains precision of the v4leaseunassigned field | si-search-dhcp-message | Splunk added special field | ||
psrsvd_vt_v4leaseunknown | Contains precision of the v4leaseunkown field | si-search-dhcp-message | Splunk added special field | ||
psrsvd_vt_v4nak | Contains precision of the v4nak field | si-search-dhcp-message | Splunk added special field | ||
psrsvd_vt_v4offer | Contains precision of the v4offer field | si-search-dhcp-message | Splunk added special field | ||
psrsvd_vt_v4release | Contains precision of the v4release field | si-search-dhcp-message | Splunk added special field | ||
psrsvd_vt_v4request | Contains precision of the v4request field | si-search-dhcp-message | Splunk added special field | ||
psrsvd_vt_v6advertise | Contains precision of the v6advertise field | si-search-dhcp-message | Splunk added special field | ||
psrsvd_vt_v6confirm | Contains precision of the v6confirm field | si-search-dhcp-message | Splunk added special field | ||
psrsvd_vt_v6decline | Contains precision of the v6decline field | si-search-dhcp-message | Splunk added special field | ||
psrsvd_vt_v6information_request | Contains precision of the v6information_request field | si-search-dhcp-message | Splunk added special field | ||
psrsvd_vt_v6leasequery | Contains precision of the v6leasequery field | si-search-dhcp-message | Splunk added special field | ||
psrsvd_vt_v6leasequery_reply | Contains precision of the v6leasequery_reply field | si-search-dhcp-message | Splunk added special field | ||
psrsvd_vt_v6rebind | Contains precision of the v6rebind field | si-search-dhcp-message | Splunk added special field | ||
psrsvd_vt_v6reconfigure | Contains precision of the v6reconfigure field | si-search-dhcp-message | Splunk added special field | ||
psrsvd_vt_v6relay_forward | Contains precision of the v6relay_forward field | si-search-dhcp-message | Splunk added special field | ||
psrsvd_vt_v6relay_reply | Contains precision of the v6relay_reply field | si-search-dhcp-message | Splunk added special field | ||
psrsvd_vt_v6release | Contains precision of the v6release field | si-search-dhcp-message | Splunk added special field | ||
psrsvd_vt_v6renew | Contains precision of the v6renew field | si-search-dhcp-message | Splunk added special field | ||
psrsvd_vt_v6reply | Contains precision of the v6reply field | si-search-dhcp-message | Splunk added special field | ||
psrsvd_vt_v6request | Contains precision of the v6request field | si-search-dhcp-message | Splunk added special field | ||
psrsvd_vt_v6solicit | Contains precision of the v6solicit field | si-search-dhcp-message | Splunk added special field | ||
report | Name of the report that is populating the summary index | ||||
DHCP Message Rate Trend data | si-search-dhcp-message | ||||
DHCPv4 Usage Trend data | si_dhcp_usage_trend | ||||
DHCP Top Lease Clients report data | si_dhcp_top_lease_client | ||||
Top Devices Denied an IP Address report data | si_devices_denied_an_ip_address | ||||
DHCPv4 Range Utilization Trend | si_dhcp_range_utilization_trend | ||||
Device and Device Classes reports data | si_dhcp_top_os_by_network | ||||
search_name | Common summary index fields | ||||
search_now | Common summary index fields | ||||
source | Splunk Default field | ||||
sourcetype | Splunk Default field | ||||
splunk_server | Splunk Default field | ||||
splunk_server_group | Splunk Default field | ||||
start_address | Specifies the start IP address | IP address | Infoblox DHCP summary | ||
timeendpos | Common Extracted Fields | ||||
timestartpos | Common Extracted Fields | ||||
View | Specifies the network view | String. Example: default | Infoblox DHCP summary |
Infoblox DTC Summary
Extracted Field Name | Description of the field | Reports | Values/Range | Source of Data | Remarks |
EA | Common Extracted Fields | ||||
HWTYPE | Common Extracted Fields | ||||
MAX_DB_OBJECTS | Common Extracted Fields | ||||
MAX_DHCP_LPS | Common Extracted Fields | ||||
MAX_DNS_QPS | Common Extracted Fields | ||||
MEMBER_IP | Common Extracted Fields | ||||
date_hour | Splunk Default field | ||||
date_mday | Splunk Default field | ||||
date_minute | Splunk Default field | ||||
date_month | Splunk Default field | ||||
date_second | Splunk Default field | ||||
date_wday | Splunk Default field | ||||
date_year | Splunk Default field | ||||
date_zone | Splunk Default field | ||||
eventtype | Splunk Default field | ||||
host | Splunk Default field | ||||
index | Splunk Default field | ||||
info_max_time | Common summary index fields | ||||
info_min_time | Common summary index fields | ||||
info_search_time | Common summary index fields | ||||
linecount | Splunk Default field | ||||
Monitor | Specifies the monitor | String. Example: https | Infoblox DTC summary | ||
orig_host | Specifies the host name of the data source | Example: infoblox.com | Splunk added default field | ||
pool | Specifies the Pool | String. Example: Pool | Infoblox DTC summary | ||
psrsvd_ct_available | Specifies the count information for available field | si_adns_resource_pool_availability | Splunk added special field | ||
psrsvd_ct_response_count | Specifies the count information for response_count field | si_dtc_response_distribution | Splunk added special field | ||
psrsvd_ct_unavailable | Specifies the count information for unavailable field | si_adns_resource_pool_availability | Splunk added special field | ||
psrscd_ct_value | Specifies the count information for value field | si_smart_dns_resource_snmp | Splunk added special field | ||
psrsvd_gc | Here, gc = group count. This is the count for stats grouping and it is not scoped to a single field. | si_dtc_response_distribution, | Splunk added special field | ||
psrsvd_nc_available | Specifies the numerical count information for available field | si_adns_resource_pool_availability | Splunk added special field | ||
psrsvd_nc_response_count | Specifies the numerical count information for response_count field | si_dtc_response_distribution | Splunk added special field | ||
psrsvd_nc_unavailable | Specifies the numerical count information for unavailable field | si_adns_resource_pool_availability | Splunk added special field | ||
psrsvd_nc_value | Specifies the numerical count information for value field | si_smart_dns_resource_snmp | Splunk added special field | ||
psrsvd_sm_available | Specifies the sum information for available field | si_adns_resource_pool_availability | Splunk added special field | ||
psrsvd_sm_response_count | Specifies the sum information for response_count field | si_dtc_response_distribution | Splunk added special field | ||
psrsvd_sm_unavailable | Specifies the sum information for unavailable field | si_adns_resource_pool_availability and | Splunk added special field | ||
psrsvd_sm_value | Specifies the sum information for value field | si_smart_dns_resource_snmp | Splunk added special field | ||
psrsvd_v | Here, v = version. This is not scoped to a single field. | si_dtc_response_distribution, | Splunk added special field | ||
psrsvd_vt_available | Contains precision of the available field | si_adns_resource_pool_availability and | Splunk added special field | ||
psrsvd_vt_response_count | Contains precision of the response_count field | si_dtc_response_distribution | Splunk added special field | ||
psrsvd_vt_unavailable | Contains precision of the unavailable field | si_adns_resource_pool_availability and | Splunk added special field | ||
psrsvd_vt_value | Contains precision of the value field | si_smart_dns_resource_snmp | Splunk added special field | ||
report | Name of the report that populates the summary index | ||||
DNS Traffic Control Response Distribution Trend data | si_dtc_response_distribution | ||||
DNS Traffic Control Resource Pool Availability reports data | si_adns_resource_pool_availability | ||||
DNS Traffic Control Resource SNMP reports data | si_smart_dns_resource_snmp | ||||
DNS Traffic Control Resource Availability reports data | si_smart_dns_resource_availability | ||||
resource | Specifies the resource | String. Example: Server | Infoblox DTC summary | ||
search_name | Common summary index fields | ||||
search_now | Common summary index fields | ||||
source | Splunk Default field | ||||
sourcetype | Splunk Default field | ||||
splunk_server | Splunk Default field | ||||
splunk_server_group | Splunk Default field | ||||
timeendpos | Common Extracted Fields | ||||
timestartpos | Common Extracted Fields |
Infoblox System Summary
Extracted Field Name | Description of the field | Reports | Values/Range | Source of Data | Remarks |
EA | Common Extracted Fields | ||||
HWTYPE | Common Extracted Fields | ||||
MAX_DB_OBJECTS | Common Extracted Fields | ||||
MAX_DHCP_LPS | Common Extracted Fields | ||||
MAX_DNS_QPS | Common Extracted Fields | ||||
MEMBER | Specifies the member | String. Example: infoblox.localdomain: inbound | |||
MEMBER_IP | Common Extracted Fields | ||||
date_hour | Splunk Default field | ||||
date_mday | Splunk Default field | ||||
date_minute | Splunk Default field | ||||
date_month | Splunk Default field | ||||
date_second | Splunk Default field | ||||
date_wday | Splunk Default field | ||||
date_year | Splunk Default field | ||||
date_zone | Splunk Default field | ||||
eventtype | Splunk Default field | ||||
host | Splunk Default field | ||||
index | Splunk Default field | ||||
info_max_time | Common summary index fields | ||||
info_min_time | Common summary index fields | ||||
info_search_time | Common summary index fields | ||||
linecount | Splunk Default field | ||||
orig_host | Specifies the host name of the data source | Example: infoblox.com | Splunk added default field | ||
psrsvd_ct_CPU_PERCENT | Specifies the count information for the CPU_PERCENT field | si_cpu_usage | Splunk added special field | ||
psrsvd_ct_MEMORY_PERCENT | Specifies the count information for the MEMORY_PERCENT field | si_memory_utilization | Splunk added special field | ||
psrsvd_ct_TRAF_VALUE | Specifies the count information for TRAF_VALUE field | si_traffic_rate | Splunk added special field | ||
psrsvd_gc | Here, gc = group count. This is the count for a stats grouping and it is not scoped to a single field. | si_memory_utilization, | Splunk added special field | ||
psrsvd_nc_CPU_PERCENT | Specifies the numerical count information for CPU_PERCENT field | si_cpu_usage | Splunk added special field | ||
psrsvd_nc_MEMORY_PERCENT | Specifies the numerical count information for MEMORY_PERCENT field | si_memory_utilization | Splunk added special field | ||
psrsvd_nc_TRAF_VALUE | Specifies the numerical count information for TRAF_VALUE field | si_traffic_rate | Splunk added special field | ||
psrsvd_sm_CPU_PERCENT | Specifies the sum for CPU_PERCENT field | si_cpu_usage | Splunk added special field | ||
psrsvd_sm_MEMORY_PERCENT | Specifies the sum for MEMORY_PERCENT field | si_memory_utilization | Splunk added special field | ||
psrsvd_sm_TRAF_VALUE | Specifies the sum for TRAF_VALUE field | si_traffic_rate | Splunk added special field | ||
psrsvd_v | Here, v = version. This is not scoped to a single field. | si_memory_utilization, | Splunk added special field | ||
psrsvd_vt_CPU_PERCENT | Contains precision of the CPU_PERCENT field | si_cpu_usage | Splunk added special field | ||
psrsvd_vt_MEMORY_PERCENT | Contains precision of the MEMORY_PERCENT field | si_memory_utilization | Splunk added special field | ||
psrsvd_vt_TRAF_VALUE | Contains precision of the TRAF_VALUE field | si_traffic_rate | Splunk added special field | ||
report | Specifies the name of the report that is populating the summary index | ||||
Index Disk Usage Report Data | si_index_disk_usage | ||||
Memory Utilization Trend data | si_memory_utilization | ||||
Traffic Rate by Member report data | si_traffic_rate | ||||
CPU Utilization Trend data | si_cpu_usage | ||||
search_name | Common summary index fields | ||||
search_now | Common summary index fields | ||||
source | Splunk Default field | ||||
sourcetype | Splunk Default field | ||||
splunk_server | Splunk Default field | ||||
splunk_server_group | Splunk Default field | ||||
timeendpos | Common Extracted Fields | ||||
timestartpos | Common Extracted Fields |
Infoblox Security Summary
Extracted Field Name | Description of the field | Reports | Values/Range | Source of Data | Remarks |
ACTIVE_COUNT | Specifies the active count | Integer | Infoblox security summary | ||
BLOCK_END | Specifies the block end IP address | Integer | Infoblox security summary | ||
BLOCK_START | Specifies the block start IP address | Integer | Infoblox security summary | ||
DNST_CATEGORY | Specifies the destination category | String | |||
EA | Common Extracted Fields | ||||
HWTYPE | Common Extracted Fields | ||||
MAX_DB_OBJECTS | Common Extracted Fields | ||||
MAX_DHCP_LPS | Common Extracted Fields | ||||
MAX_DNS_QPS | Common Extracted Fields | ||||
MEMBER_IP | Common Extracted Fields | ||||
NAT_STATUS | Specifies the NAT status | String | Infoblox security summary | ||
RULE_DESCRIPTION | Specifies the rule description | String. Example: This rule drops unexpected OSPF packets when OSPF is disabled. | |||
RULE_NAME | Specifies the rule name | String. Example: DROP OSPF unexpected | |||
RULE_SID | Specifies the rule SID | Integer | Infoblox security summary | ||
SOURCE_IP | Specifies the source IP | IP address | Infoblox security summary | ||
SOURCE_PORT | Specifies the source port | Integer | Infoblox security summary | ||
date_hour | Splunk Default field | ||||
date_mday | Splunk Default field | ||||
date_minute | Splunk Default field | ||||
date_month | Splunk Default field | ||||
date_second | Splunk Default field | ||||
date_wday | Splunk Default field | ||||
date_year | Splunk Default field | ||||
date_zone | Splunk Default field | ||||
eventtype | Splunk Default field | ||||
host | Splunk Default field | ||||
index | Splunk Default field | ||||
info_max_time | Common summary index fields | ||||
info_min_time | Common summary index fields | ||||
info_search_time | Common summary index fields | ||||
linecount | Splunk Default field | ||||
orig_host | Specifies the host name of the data source | Example: infoblox.com | Splunk added default field | ||
report | Name of the report that is populating the summary index | ||||
DNS Tunneling Activity Reports data | si_dns_tunneling_activity | ||||
search_name | Common summary index fields | ||||
search_now | Common summary index fields | ||||
source | Splunk Default field | ||||
sourcetype | Splunk Default field | ||||
splunk_server | Splunk Default field | ||||
splunk_server_group | Splunk Default field | ||||
timeendpos | Common Extracted Fields | ||||
timestartpos | Common Extracted Fields |