The human-readable message associated with the authentication action ( success or failure). The amount of time for the completion of the authentication event, in seconds. The priority of the authentication target. The name of the Active Directory used by the authentication target, if applicable. The category of the authentication target, such as email_server or SOX-compliant. Do not define extractions for this field when writing add-ons. This field is automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. The business unit of the authentication target. You can alias this from more specific fields, such as dest_host, dest_ip, dest_nt_host. The target involved in the authentication. The service used to authenticate the request such as Okta, ActiveDirectory, AzureAD. The method used to authenticate the request such as SAML, FIDO, MFA, Kerberos, NTLM, LM, NTLMv2, PSK, Password. The application involved in the event (such as ssh, splunk, win:local, ). Other values: Other example values that you might see.įor even more examples, see Authentication Field Mapping.Other valid values exist, but Splunk is not relying on them. Prescribed values: Permitted values that can populate the fields, which Splunk is using for a particular purpose.Required: Add-on developers must map these event fields when using the pytest-splunk-addon to test for CIM compatibility.If these fields are not populated, then the event is not very useful. Recommended: Add-on developers make their best effort attempts to map these event fields.The key for using the column titled "Abbreviated list of example values" follows:
#Splunk documentation how to#
For more information, see How to use these reference tables. The table does not include any inherited fields. The following table lists the extracted and calculated fields for the event datasets in the model.
![splunk documentation splunk documentation](https://docs.bugsnag.com/assets/images/product/integrations/splunk/configure_splunk.png)
The following tags act as constraints to identify your events as being relevant to this data model. Tags used with Authentication event datasets In versions of the Splunk platform prior to version 6.5.0, these were referred to as data model objects. Note: A dataset is a component of a data model. The fields and tags in the Authentication data model describe login activities from any data source.