Operational Telemetry data model

The Operational Telemetry data model normalizes telemetry across Manufacturing, Facilities/BMS, Smart Cities, Events, and Critical Infrastructure into a single, queryable schema. All dashboards in the Splunk OT Intelligence app use this data model.

About the Operational Telemetry data model

The data model covers a broad range of OT data types — from numeric sensor readings and equipment states to alarms, production counts, maintenance records, and physical security events.

The model has one root object, named All Telemetry, which contains 10 child objects. Each child object represents a domain of operational telemetry data:
Child object Description
Metrics Universal numeric sensor readings.
Events Discrete alarms, faults, and notifications.
States Equipment operational states and modes.
Production Manufacturing counts, batches, and tracking.
OEE Overall Equipment Effectiveness and downtime.
Quality Quality measurements and SPC.
Maintenance Work orders and predictive maintenance.
Security Access control and physical security.
Venue Operations Event/venue scheduling and identification.
Location Real-time location tracking from Cisco Spaces, BLE, and WiFi.

For a general introduction to how Splunk data models work, including datasets, field types, constraints, and inheritance, see the About data models topic in the Splunk Cloud Platform documentation.

Requirements and prerequisites

Requirements to install

  • Splunk OT Intelligence versions 4.13.0 or higher.

  • Data must reside in indexes that are matched by the ot_indexes macro. All events must include the following five required base fields: device_id, device_type, vertical, site, and system.

Configure the ot_indexes macro

The ot_indexes macro tells all Operational Telemetry dashboards which indexes to search. If your data is not in an index covered by this macro, none of the dashboards will show the data.

To configure the macro, perform the following steps:

  1. Go to Settings, and then Advanced Search, and then Search Macros.
  2. Navigate to ot_indexes
  3. Add your index to the definition.

To include multiple indexes, add each one using OR in the definition. For example, (index=my_iot OR index=my_scada). Only events in matching indexes will be visible to the dashboards.

Map your data to the data model

If your raw events do not already have the required fields for the data model, you can enrich and map them at search time using Splunk's built-in lookup and field configuration features. No changes to your data pipeline are required.

Step 1: Add the five required fields using an automatic lookup

If you have a lookup table that maps a device identifier (such as a serial number) to device_id, device_type, site, system, and vertical, you can use an automatic lookup to enrich every matching event at search time.

  1. Go to Settings, and then Lookups, and then Automatic Lookups.
  2. Select your sourcetype
  3. Set your device identifier as the input field. For example, serial_number, as the input field.
  4. Set device_id, device_type, site, system, and vertical as the output fields.

Every event from your selected sourcetype will now be automatically enriched with the five required fields.

Step 2: Map fields using calculated fields

If your raw event uses different field names than what the data model expects, use calculated fields to create the mapping. For example, reading instead of metric_value, or metric instead of metric_name .

  1. Go to Settings , and then Fields , and then Calculated Fields
  2. Select your sourcetype

  3. Add a calculated field for each mapping. For example:

    • metric_name = metric
    • metric_value = reading

Your data is ready to flow into the Operational Telemetry data model.

Dashboards

The following dashboards in the Splunk OT Intelligence app are built on this data model. Each dashboard requires data to be mapped into the model before it will show your ingested data.

Dashboard Purpose
Operational Telemetry - Overview End-to-end visibility into the health and distribution of your OT environment
Operational Telemetry - Metrics Browse and inspect all numeric sensor data flowing through the model
Operational Telemetry - Events Monitor and triage alarms, faults, and notifications across your OT devices
Operational Telemetry - States Track operational state changes and history across your devices
Operational Telemetry - Data Adoption Identify how much of your data is mapped into the model and where the gaps are

Data model hierarchy

CODE 
BaseEvent
└── All_Telemetry              (root — constraint: `ot_indexes`)
    ├── Metrics
    ├── Events
    ├── States
    ├── Production
    ├── OEE
    ├── Quality
    ├── Maintenance
    ├── Security
    ├── VenueOperations
    └── Location
Note:

Enable data model acceleration to speed up dashboard queries. Enabling data model acceleration increases storage and processing costs because Splunk pre-builds and maintains summarized data on disk. Enable it only when query performance is a priority and the additional resource cost is acceptable. To configure it, go to Settings , and then Data Models. Navigate to the Operational Telemetry data model, and enable acceleration. See About data models for details.

Telemetry

Telemetry reference

The root object for all telemetry across all verticals. Every event must include all of the following required fields:

Constraint: ot_indexes

Required fields

Field Type Description Example
device_id string Unique identifier for the device sensor-001, plc-line3
device_type string Category of device plc, sensor, meter, controller, camera, gateway
vertical string Industry vertical the device belongs to manufacturing, facilities, smart_city, events, critical_infrastructure
site string Facility or campus code NYC-01, PLANT-A
system string Operational system the device is part of HVAC, Electrical, Production, Water, Security
Field Type Description Example
asset_class string Classification of the asset type rotating_equipment, electrical, hvac
asset_id string ID of the parent asset in a CMMS or EAM system ASSET-CHILLER-03
asset_name string Name of the parent asset Chiller 3
building string Building identifier within the site Building-B, HQ
criticality string Operational criticality of the device critical, high, medium, low
device_name string Human-friendly name for the device Chiller Unit 3, AHU-B2
firmware_version string Installed firmware version v2.4.1
floor string Floor or level within the building Floor-2, B1
floor_plan_id string Reference to a floor plan used for indoor visualization floorplan-b2-001
geo_lat number GPS latitude of the device 40.7128
location_confidence number Accuracy of the position estimate in meters or % 2.5, 95
geo_lon number GPS longitude of the device -74.0060
device_mac string MAC address of the device 00:1A:2B:3C:4D:5E
model string Device model number S7-1500, T775
network_id string Meraki network ID net-abc789
organization_id string Meraki or Cisco Spaces organization ID org-123456
parent_device_id string ID of the parent device in the equipment hierarchy ahu-01 (parent of a VAV unit)
protocol string Communication protocol used by the device modbus, bacnet, opcua, mqtt, meraki_api
protocol_address string Native address of the device in its protocol 40001 (Modbus register), ns=2;s=Motor.Speed (OPC-UA)
protocol_object_type string Protocol-native object type AI (BACnet Analog Input), holding (Modbus)
serial_number string Device serial number SN-20241201-004
site_name string Full name of the facility New York Data Center
subsystem string Specific subsystem within the system AHU, Chiller, VAV
tag_path string Full hierarchical address used by OPC-UA or BACnet ns=2;s=Plant1.Line2.Motor.Speed
vendor string Device manufacturer Siemens, Honeywell, Cisco
x_coordinate number Indoor X position from Spaces or BLE 12.5
y_coordinate number Indoor Y position from Spaces or BLE 8.3
zone string Zone or area within the floor Zone-A, Server Room 1
zone_type string Functional type of the zone office, conference, lobby, restroom, concourse
Field Expression Description Example
uns site_name/building/floor/zone/asset_name/device_name ISA-95/UNS topic path (Enterprise/Site/Area/Line/Asset/Device) used for routing and pub/sub addressing NYC-Plant/Building-B/Floor-2/Zone-A/Chiller-3/sensor-001
udmi_topic site/device_id/<subFolder> UDMI envelope path where subFolder is derived from the data type present in the event PLANT-A/sensor-001/pointset
location site_name/building/floor/zone/asset_name/device_name Human-readable location path used by dashboards for filtering, grouping, and the site map NYC-Plant/Building-B/Floor-2/Zone-A/Chiller-3/sensor-001

The location field is not required by the root constraints, but it is used across all Operational Telemetry dashboards for filtering, grouping, and the site map. We recommend populating it as a combination of your site and asset hierarchy — the more granular your location data, the more useful the dashboards become.

If location is not present in your events, OT Intelligence automatically derives it from your existing fields using the pattern site_name/building/floor/zone/asset_name/device_name. Any field that is missing or empty falls back to unknown.

Universal numeric measurements. All sensor readings — temperature, humidity, power, flow rate, occupancy counts — use this pattern.

Parent: All Telemetry

Constraint: metric_name=* metric_value=*

Field Type Description Example
aggregation_type string How the value should be aggregated over time avg, sum, min, max, last
aggregation_period string Time window used for aggregation 1min, 5min, 15min, 1hour, 1day
metric_category string Functional category of the metric environmental, electrical, process, mechanical, hvac
metric_dimension string Axis identifier for multi-axis sensors x, y, z, magnitude
direction string Direction of traffic flow northbound, southbound, inbound, outbound
lane_id string Identifier for a traffic lane lane-1, northbound-left
metric_max number High operating limit for the metric 100, 500.0
metric_name string Standardized name identifying the type of measurement temperature, humidity, power, flow_rate, person_count
metric_min number Low operating limit for the metric 0, 10.0
metric_quality string Quality flag for the data point good, suspect, bad, stale
rate_period string Current energy rate period peak, off_peak, shoulder, holiday
metric_setpoint number Target or setpoint value 22.0, 750
setpoint_source string Origin of the current setpoint schedule, operator, optimization, demand_response
tariff_id string Energy tariff or rate period identifier tariff-peak-2024
metric_unit string Unit of the measurement degC, %, kW, ppm, lux, count
metric_value number Numeric measurement value 23.5, 1024, 0.87
Field Expression Description Example
threshold_status case(metric_value<metric_min,"low", metric_value>metric_max,"high", 1=1,"normal") Whether the metric value is below, above, or within its operating limits low, high, normal
setpoint_deviation metric_value - metric_setpoint Difference between the current value and the setpoint; null if no setpoint is defined 1.5, -0.3

Discrete occurrences: alarms, faults, and notifications from OT devices.

Parent: All Telemetry

Constraint: event_type=*

Field Type Description Example
acknowledged_time timestamp Time the event was acknowledged 2024-11-01T09:15:00
acknowledged string Whether the event has been acknowledged true, false
acknowledged_by string Username of the person who acknowledged the event operator1
alert_level string Meraki webhook alert level warning, critical
alert_type string Meraki webhook alert type motion_alert, door_open
event_category string Domain the event belongs to equipment, process, safety, environmental, security, network, crowd
cleared_time timestamp Time the event was cleared 2024-11-01T09:45:00
duration_seconds number Duration from event open to cleared in seconds 1800
event_code string Vendor or standard code identifying the event E-1042, BACnet-1301
event_state string Current lifecycle state of the event active, cleared, acknowledged, shelved
event_type string Category of the event alarm, fault, warning, info, state_change, maintenance, security, webhook
event_message string Human-readable description of the event High temperature threshold exceeded
event_severity string Severity level of the event critical, high, medium, low, info
event_source string System or component that generated the event SCADA, BMS, Meraki
Field Expression Description Example
severity_num case(event_severity="critical",5, "high",4, "medium",3, "low",2, "info",1, 1=1,0) Numeric representation of severity for sorting and comparison 5, 3, 1

Equipment operational states and modes — discrete, non-numeric values representing what a device is currently doing.

Parent: All Telemetry

Constraint: state_name=* state_value=*

Field Type Description Example
state_category string Functional category of the state operational, mode, position, availability, security, presence
control_mode string Current control mode of the device auto, manual, off, override, standby
state_duration number Time spent in the previous state in seconds 3600
dwell_time number Time the tracked entity has spent in the current location or state in seconds 450
previous_state string State value before the current change running
state_reason string Cause of the state change operator, automatic, fault, schedule
schedule_id string BMS schedule that triggered the state change schedule-occ-weekday
schedule_mode string Occupancy mode from the active BMS schedule occupied, unoccupied, standby, holiday
state_name string Name identifying the type of state being reported run_status, mode, door_state, presence, occupancy
state_value string Current value of the state running, stopped, open, closed, occupied, entry, exit

Manufacturing production counts, batch tracking, and line performance.

Parent: All Telemetry

Constraint: good_count=* OR batch_id=* OR production_order=*

Field Type Description Example
batch_id string Batch identifier BATCH-20241101-A
cell_id string Work cell identifier cell-B2
cycle_time number Actual time to complete one unit cycle in seconds 42
good_count number Number of conforming units produced 482
ideal_cycle_time number Theoretical minimum cycle time in seconds 38
line_id string Production line identifier line-3
operator_id string Identifier of the operator on duty op-007
product_code string Product SKU or code SKU-7890
product_name string Product name Widget Type B
production_order string Production or work order number PO-2024-00123
program_id string PLC or CNC program currently running PROG-MOTOR-A
recipe_id string Recipe identifier RECIPE-042
recipe_version string Version of the active recipe v3.1
reject_count number Number of rejected units 18
shift string Shift identifier day, night, shift-1
step_id string Current step within the running program step-4
takt_time number Available production time divided by customer demand in seconds 40
target_count number Target unit count for the period 520
total_count number Total units produced 500
Field Expression Description Example
yield_rate (good_count / total_count) * 100 Percentage of good units out of total produced; null if total count is zero 96.4
cycle_efficiency (ideal_cycle_time / cycle_time) * 100 Ratio of ideal to actual cycle time as a percentage; null if either value is missing 90.5

Overall Equipment Effectiveness metrics and downtime tracking for manufacturing assets.

Parent: All Telemetry

Constraint: oee=* OR availability=* OR downtime_minutes=*

Field Type Description Example
availability number Availability component of OEE as a percentage 92.5
downtime_minutes number Total downtime in minutes 36
downtime_category string Classification of the downtime type planned, unplanned, changeover, breakdown, starved, blocked
downtime_reason string Description of why the equipment was down Scheduled maintenance, Conveyor jam
mtbf number Mean Time Between Failures in hours 120.5
mttr number Mean Time To Repair in hours 2.3
oee number Overall Equipment Effectiveness as a percentage 78.6
performance number Performance component of OEE as a percentage 88.0
planned_production_time number Planned production time in minutes 480
quality number Quality component of OEE as a percentage 96.4
actual_run_time number Actual time the equipment was running in minutes 444
Field Expression Description Example
calculated_oee (availability * performance * quality) / 10000 OEE derived from the three component fields; null if any component is missing 78.6

Quality measurements and Statistical Process Control (SPC) for manufacturing inspection. Records individual measurements against specification and control limits to track conformance and detect process drift.

Parent: All Telemetry

Constraint: measurement_name=* measurement_value=*

Field Type Description Example
measurement_name string Name of the quality characteristic being measured shaft_diameter, tensile_strength, fill_volume
measurement_value number Measured value of the quality characteristic 25.03, 450.7
defect_code string Code classifying the type of defect D-001, SCRATCH
defect_description string Description of the defect found Surface scratch on face B
disposition string Decision made on the inspected item accept, reject, rework
inspection_type string Type of quality inspection performed incoming, in-process, final
inspector_id string Identifier of the inspector insp-12
lcl number Lower Control Limit for SPC 24.94
lsl number Lower Specification Limit 24.90
nominal number Nominal or target value 25.00
sample_id string Identifier of the sample SAMPLE-20241101-007
sample_size number Number of units in the sample 5
ucl number Upper Control Limit for SPC 25.06
measurement_unit string Unit of the quality measurement mm, MPa, mL
usl number Upper Specification Limit 25.10
Field Expression Description Example
in_spec measurement_value >= lsl AND measurement_value <= usl Whether the measurement is within the Upper and Lower Specification Limits true, false
in_control measurement_value >= lcl AND measurement_value <= ucl Whether the measurement is within the Upper and Lower Control Limits true, false

Work orders and predictive maintenance signals for OT assets.

Parent: All Telemetry

Constraint: work_order_id=* OR health_score=* OR failure_probability=* OR anomaly_score=*

Field Type Description Example
anomaly_score number Score indicating how anomalous the current behavior is 0.91
completed_date timestamp Date the maintenance was completed 2024-11-15T11:30:00
failure_code string Code classifying the failure type FC-003, BEARING-FAIL
failure_description string Description of the failure Bearing overheating on motor shaft
failure_probability number Predicted probability of failure from 0 to 1 0.83
health_score number Asset health score from 0 to 100 72
runtime_since_maintenance number Runtime hours since the last maintenance event 720
labor_hours number Labor hours spent on the work order 3.5
parts_cost number Cost of parts used 120.00
work_order_priority string Priority level of the work order critical, high, medium, low
repair_action string Action taken to resolve the failure Replaced bearing assembly
root_cause string Root cause identified for the failure Insufficient lubrication
remaining_useful_life number Estimated remaining useful life in hours 340
runtime_hours number Total cumulative runtime hours of the asset 8450
scheduled_date timestamp Date the maintenance was scheduled 2024-11-15T08:00:00
work_order_status string Current status of the work order open, in_progress, completed
technician_id string Identifier of the assigned technician tech-42
total_cost number Total cost of the maintenance activity 295.00
work_order_type string Type of maintenance work order preventive, corrective, predictive
work_order_id string Work order identifier WO-2024-00456

Physical security events including access control, intrusion detection, and venue ticketing.

Parent: All Telemetry

Constraint: access_point=* OR intrusion_zone=* OR camera_id=* OR credential_id=* OR ticket_id=*

Field Type Description Example
access_point string Identifier of the access point where the event occurred door-lobby-main, gate-3
camera_id string Identifier of the camera that captured the event cam-entrance-01
credential_id string Identifier of the credential used badge-00892
credential_type string Type of credential used for access badge, pin, biometric, mobile
access_direction string Direction of movement at the access point entry, exit
host_id string Identifier of the employee hosting the visitor emp-0210
intrusion_zone string Zone where an intrusion was detected server-room-b, perimeter-north
person_id string Identifier of the person involved emp-1042
person_type string Category of person involved employee, contractor, visitor
access_result string Outcome of the access attempt granted, denied, forced, held_open
ticket_id string Ticket barcode for event or venue access TKT-20241101-00934
ticket_tier string Pricing or access tier of the ticket tier-1, premium
ticket_type string Category of the ticket general, vip, season, staff
visitor_company string Company the visitor is representing Acme Corp

Event and venue scheduling, identification, and layout. Use the Metrics child object for occupancy counts and numeric venue data.

Parent: All Telemetry

Constraint: event_id=* OR venue_id=* OR gate_id=* OR route_id=*

Field Type Description Example
venue_capacity number Maximum capacity of the venue 20000
concession_id string Identifier for a concession stand concession-12
event_end timestamp Scheduled end time of the event 2024-11-10T21:30:00
event_id string Unique identifier for the event EVT-2024-00781
event_name string Name of the event Championship Finals 2024
gate_id string Identifier for an entry or exit gate gate-north-1
parking_lot_id string Identifier for a parking area lot-C
route_id string Identifier for a transit or delivery route route-shuttle-A
section_id string Identifier for a seating or venue section section-B, upper-deck-3
event_start timestamp Scheduled start time of the event 2024-11-10T18:00:00
venue_id string Unique identifier for the venue venue-stadium-01
venue_name string Name of the venue City Arena

Real-time location tracking from Cisco Spaces, BLE beacons, and WiFi positioning. Extends the base geospatial fields (geo_lat, geo_lon, x_coordinate, y_coordinate) defined in the beginning of this topic.

Parent: All Telemetry

Constraint: location_id=* OR tracked_device_id=* OR visit_id=*

Field Type Description Example
ap_mac string MAC address of the associated access point 00:1B:2C:3D:4E:5F
detection_method string Technology used to determine the device location wifi, ble, gps, rfid
entry_time timestamp Time the tracked device entered the location 2024-11-01T08:45:00
exit_time timestamp Time the tracked device exited the location 2024-11-01T09:30:00
location_id string Cisco Spaces location UUID loc-uuid-00f3a1
location_name string Human-readable name of the location Floor 2 - West Wing
location_type string Granularity level of the location campus, building, floor, zone
ssid string WiFi network the tracked device is connected to corp-wifi-5g
tracked_device_id string Identifier of the device being tracked mobile-emp-007, asset-tag-142
tracked_device_type string Type of device being tracked mobile, tag, client, asset
visit_id string Unique identifier for a visit or journey through the space visit-20241101-00312