Application data is a type of data that is generated from higher level applications or services. These applications run above the infrastructure, network and database tiers and are therefore distinct. The application could be a monolithic block of functions or a distributed set of components that rely on a database, appserver, and web tier, and it could be delivered as Software as a Service (SaaS). The interface to the application may include a human-in-the-loop interactive interface or an application programming interface (API) or a combination.
This data type typically includes, but is not limited to, the following metrics: concurrent usage trends by users or API calls over time; throughput, latency, and response times for features; feature usage counts, identity, and access information such as who has logged in, at what time, and duration of sessions; and alerts on conditions related to application security and troubleshooting.
When your Splunk deployment is ingesting application data, you can use the data to achieve objectives related to the following use cases:
This data type has many available fields, but users typically derive the most value out of the fields listed here.
Application involved in the event
Action taken by the server or proxy
Destination of the network traffic (the remote host)
IP address of the client interacting with the application
The path of the resource served by the web server or proxy.
Actual string or identifier that a user logs in with
Note that the names of these fields vary, depending on the data source. The Splunk Common Information Model (CIM) can be added to your deployment to normalize and validate data at search time, accelerate key data in searches and dashboards, or create new reports and visualizations. In the Common Information Model, application data is typically mapped to the Authentication, Web, and Change. Note that application data is often unique to the application and need not be normalized. In the event an application does not conform to an existing CIM model, the search time extracted fields can be used as is.
Known data sources and source types
Guidance for onboarding data can be found in the Splunk documentation, Getting Data In. In addition, the following data sources have add-ons and apps available in Splunkbase to optimize data collection and help you with analysis and visualizations.