Splunk® Common Information Model Add-on

Common Information Model Add-on Manual

Acrobat logo Download manual as PDF


This documentation does not apply to the most recent version of Splunk® Common Information Model Add-on. For documentation on the most recent version, go to the latest release.
Acrobat logo Download topic as PDF

Network Traffic

The fields in the Network Traffic data model and event category describe flows of data cross network infrastructure components. Tags used with the Network Traffic event category
Object name(s) Tag name Required?
All_Traffic network YES
All_Traffic communicate YES

Fields for the Network Traffic event category

Object name(s) Field name Data type Description Possible values
All_Traffic action string The action taken by the network device. allowed, blocked, dropped, unknown
All_Traffic app string The application protocol of the traffic.
All_Traffic bytes int Total count of bytes handled by this device/interface (bytes_in + bytes_out).
All_Traffic bytes_in int How many bytes this device/interface received.
All_Traffic bytes_out int How many bytes this device/interface transmitted.
All_Traffic channel string The 802.11 channel used by a wireless network.
All_Traffic dest string The destination of the network traffic (the remote host). May be aliased from more specific fields, such as dest_host, dest_ip, or dest_name.
All_Traffic dest_port int The destination port of the network traffic.

Note: Do not translate the values of this field to strings (tcp/80 is 80, not http). You can set up the corresponding string value in the dest_svc field.
All_Traffic dest_bunit string These are derived fields provided by Asset and Identity correlation features of certain advanced applications like the Splunk App for Enterprise Security. They should be left blank when writing add-ons.
All_Traffic dest_category string
All_Traffic dest_interface string The interface that is listening remotely or receiving packets locally. Can also be referred to as the "egress interface."
All_Traffic dest_mac string The destination TCP/IP layer 2 Media Access Control (MAC) address of a packet's destination, such as 06:10:9f:eb:8f:14. Note: Always force lower case on this field. Note: Always use colons instead of dashes, spaces, or no separator.
All_Traffic dest_translated_ip string The NATed IPv4 or IPv6 address to which a packet has been sent.
All_Traffic dest_translated_port int The NATed port to which a packet has been sent.

Note: Do not translate the values of this field to strings (tcp/80 is 80, not http).
All_Traffic direction string The direction the packet is travelling. inbound, outbound, unknown
All_Traffic dvc string The device that reported the traffic event. May be aliased from more specific fields, such as dvc_host, dvc_ip, or dvc_name.
All_Traffic dvc_ip string
All_Traffic flow_id string Unique identifier for this traffic stream, such as a netflow, jflow, or cflow.
All_Traffic ip_version int The numbered Internet Protocol version. Splunk 5 or better autodetects IPv4 vs IPv6, rendering this field unnecessary. 4, 6
All_Traffic packets int The total count of packets handled by this device/interface (packets_in + packets_out).
All_Traffic packets_in int The total count of packets received by this device/interface.
All_Traffic packets_out int The total count of packets transmitted by this device/interface.
All_Traffic product string The product name of the device generating the network event, such as SSG or ASA. This field is used to automatically produce the vendor_product field used by data models.
All_Traffic protocol string The OSI layer 3 (network) protocol of the traffic observed, in lower case. Can be used interchangably or field-aliased with protocol, as vendors do not always distinguish these layers as separate fields. ipv4, ipv6, icmp, ipsec, igmp, rip, unknown
All_Traffic rule string The rule which defines the action that was taken in the network event.

Note: This is a string value. Use a rule_id field for rule fields that are integer data types (rule_id fields are optional, so they are not included in this table).
All_Traffic session_id string The session identifier. Multiple transactions build a session.
All_Traffic src string The source of the network traffic (the client requesting the connection). May be aliased from more specific fields, such as src_host, src_ip, or src_name.
All_Traffic src_interface string The interface that is listening locally or sending packets remotely. Can also be referred to as the "ingress interface."
All_Traffic src_mac string The source TCP/IP layer 2 Media Access Control (MAC) address of a packet's destination, such as 06:10:9f:eb:8f:14. Note: Always force lower case on this field. Note: Always use colons instead of dashes, spaces, or no separator.
All_Traffic src_port int The source port of the network traffic.

Note: Do not translate the values of this field to strings (tcp/80 is 80, not http). You can set up the corresponding string value in the src_svc field.
src_svc string The service indicated by the source port of the network traffic, as translated from src_port. For instance, if your src_port value is 80, the corresponding src_svc value is http.

Note: Always force lower case.
src_tos int The hex bit that specifies TCP ToS or "type of service" (see http://en.wikipedia.org/wiki/Type_of_Service) for the event's source. See also the tos field in this table. 0, 1, 2, 3, 4, 5, 6, or 7
All_Traffic src_translated_ip string The NATed IPv4 or IPv6 address from which a packet has been sent..
All_Traffic src_translated_port int The NATed port from which a packet has been sent.

Note: Do not translate the values of this field to strings (tcp/80 is 80, not http).
All_Traffic ssid string The 802.11 service set identifier (ssid) assigned to a wireless session.
All_Traffic tcp_flag string The TCP flag(s) specified in the event. Can be one or more of SYN, ACK, FIN, RST, URG, or PSH.
All_Traffic transport string The OSI layer 4 (transport) protocol of the traffic observed, in lower case. May be used interchangably or field-aliased with transport as vendors do not always distinguish these layers as separate fields. tcp, udp, unknown
All_Traffic tos string The combination of source and destination IP ToS (type of service) values in the event. See the entries for dest_tos and src_tos in this table.
All_Traffic ttl int The "time to live" of a packet or diagram.
All_Traffic user string The user that requested the traffic flow.
wifi_tech MV string The wireless standard(s) in use, such as 802.11a, 802.11b, 802.11g, or 802.11n.
All_Traffic vendor string The vendor technology of the device generating the network event, such as Juniper or Cisco. This field is used to automatically produce the vendor_product field used by data models.
vlan_id int The numeric identifier assigned to the virtual local area network (VLAN) specified in the record.
All_Traffic vlan_name string The name assigned to the virtual local area network (VLAN) specified in the record.
Last modified on 29 April, 2014
PREVIOUS
Network Sessions
  NEXT
Performance

This documentation applies to the following versions of Splunk® Common Information Model Add-on: 3.0, 3.0.1, 3.0.2


Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters