Skip to main content

Application data

  • Updated

Application data is a type of data that is generated from higher level applications or services. These applications run above the infrastructure, network and database tiers and are therefore distinct. The application could be a monolithic block of functions or a distributed set of components that rely on a database, appserver, and web tier, and it could be delivered as Software as a Service (SaaS). The interface to the application may include a human-in-the-loop interactive interface or an application programming interface (API) or a combination. 

Data visibility 

This data type typically includes, but is not limited to, the following metrics: concurrent usage trends by users or API calls over time; throughput, latency, and response times for features; feature usage counts, identity, and access information such as who has logged in, at what time, and duration of sessions; and alerts on conditions related to application security and troubleshooting.

Data application

When your Splunk deployment is ingesting application data, you can use the data to achieve objectives related to the following use cases:

High-value fields

This data type has many available fields, but users typically derive the most value out of the fields listed here.

app

Application involved in the event

action

Action taken by the server or proxy 

dest

Destination of the network traffic (the remote host)

src

IP address of the client interacting with the application 

uri_path

The path of the resource served by the web server or proxy.

user

Actual string or identifier that a user logs in with

 

Note that the names of these fields vary, depending on the data source. The Splunk Common Information Model (CIM) can be added to your deployment to normalize and validate data at search time, accelerate key data in searches and dashboards, or create new reports and visualizations. In the Common Information Model, application data is typically mapped to the Authentication, Web, and Change. Note that application data is often unique to the application and need not be normalized. In the event an application does not conform to an existing CIM model, the search time extracted fields can be used as is.  

Known data sources and source types

Guidance for onboarding data can be found in the Splunk documentation, Getting Data In. In addition, the following data sources have add-ons and apps available in Splunkbase to optimize data collection and help you with analysis and visualizations.

 

Related articles

Comments

0 comments

Please sign in to leave a comment.

The information provided in Splunk Lantern is intended for informational and educational purposes only. All information is provided in good faith, however, Splunk disclaims any and all representations and warranties, express and implied, regarding the information provided, including without limitation any warranties and representations regarding the completeness, adequacy or accuracy of the information. You agree to take full responsibility for the results arising from the use of the information provided.