Splunk key-value table
The following table contains a list of all the Splunk key names used to log data from these Forcepoint Email Security logs:
- Connection
- Message
- Policy
- Delivery
- Hybrid
- Audit
- Console
See Log format reference for details about the specific format of each log.
| Splunk Key Name | Key Value | Forcepoint Email Security Log |
|---|---|---|
| act | Policy action result Message delivery status |
Policy Delivery, Hybrid, Audit |
| app | Transport protocol | Connection, Delivery |
| cat | Antispam tool name | Policy |
| cc | Message header “Cc” | Message |
| cs1 | Virus name | Policy |
| deliveryCode | Delivery status code | Delivery |
| deliveryCodeInfo | Delivery status information | Delivery |
| deviceDirection |
Email direction: inbound/internal = 0 outbound = 1 |
Policy |
| deviceFacility | Policy name | Policy |
| deviceProcessName | Policy rule name | Policy |
| dst | Email destination IP address | Delivery |
| duser | Destination (recipient) user name | Message, Policy, Delivery, Hybrid |
| dvc | Email appliance IP address | Connection, Message, Policy, Delivery, Hybrid, Audit |
| dvchost | Email appliance fully qualified domain name (FQDN) | Connection, Message, Policy, Delivery, Hybrid |
| element | Element on the page to which the change was applied | Audit |
| encryptedDelivery | Encryption type | Delivery |
| exceptionReason | Reason for exception (e.g., DLP policy, file sandbox, antivirus or antispam analysis) | Policy |
| externalID | Connection ID | Connection, Message, Delivery |
| fnameAndHash |
Message attachments in the format: <filename>|<filehash>|<triggered/clean/ malicious> |
Policy |
| from | Message header “from” | Message, Policy |
| hybridSpamScore | Email hybrid service spam score | Policy |
| in | Inbound email size | Message, Policy, Hybrid |
| localSpamScore | On-premises email spam score | Policy |
| messageID | Message ID number | Message, Policy, Delivery, Hybrid |
| msg | Message subject | Audit |
| page | Page to which a change was made | Audit |
| reason | Connection status details Hybrid analysis result | Connection Hybrid |
| replyTo | Message header “replyTo” | Policy |
| rt | Time of event receipt (format is MMM dd yyyy HH:mm:ss) | Connection, Message, Policy, Delivery, Hybrid, Audit |
| spamScore | Email hybrid service spam score | Hybrid |
| spfResult | Relay control SPF check result | Connection |
| src | Email source IP address | Connection, Delivery, Hybrid, Audit |
| suser | Envelope sender | Message, Policy, Hybrid |
| to | Message header “to” | Message |
| trueSrc | True source IP address | Message, Policy |
| url |
Message embedded URLs in the format: <url>|<url category>|<triggered/not triggered> |
Policy |
| x-mailer | Email client | Message |