If you are investigating an endpoint, you can use the cbcdvcinfo command to bring up-to-date device metadata into your Splunk query.

The command must be preconfigured in the app configuration under the Custom Commands tab. Limit your Splunk search to 100 devices to avoid potential API throttling.

The full schema is available in the Devices API on Developer Network.