Splunk® Common Information Model Add-on

Common Information Model Add-on Manual

Download manual as PDF

Download topic as PDF

Network Traffic

The fields and tags in the Network Traffic data model describe flows of data across network infrastructure components.

Note: A dataset is a component of a data model. In versions of the Splunk platform prior to version 6.5.0, these were referred to as data model objects.

Tags used with Network Traffic event datasets

The following tags act as constraints to identify your events as being relevant to this data model. For more information, see How to use these reference tables.

Dataset name Tag name
All_Traffic network
communicate

Fields for Network Traffic event datasets

The following table lists the extracted and calculated fields for the event datasets in the model. Note that it does not include any inherited fields. For more information, see How to use these reference tables.

Dataset name Field name Data type Description Possible values
All_Traffic action string The action taken by the network device. allowed, blocked, teardown
All_Traffic app string The application protocol of the traffic.
All_Traffic bytes number Total count of bytes handled by this device/interface (bytes_in + bytes_out).
All_Traffic bytes_in number How many bytes this device/interface received.
All_Traffic bytes_out number How many bytes this device/interface transmitted.
All_Traffic channel number The 802.11 channel used by a wireless network.
All_Traffic dest string The destination of the network traffic (the remote host). You can alias this from more specific fields, such as dest_host, dest_ip, or dest_name.
All_Traffic dest_bunit string These fields are automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for these fields when writing add-ons.
All_Traffic dest_category string
All_Traffic dest_interface string The interface that is listening remotely or receiving packets locally. Can also be referred to as the "egress interface."
All_Traffic dest_ip string The IP address of the destination.
All_Traffic dest_mac string The destination TCP/IP layer 2 Media Access Control (MAC) address of a packet's destination, such as 06:10:9f:eb:8f:14. Note: Always force lower case on this field. Note: Always use colons instead of dashes, spaces, or no separator.
All_Traffic dest_port number The destination port of the network traffic.

Note: Do not translate the values of this field to strings (tcp/80 is 80, not http). You can set up the corresponding string value in a dest_svc field by extending the data model.
All_Traffic dest_priority string The destination priority, if applicable.

This field is automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for this field when writing add-ons.
All_Traffic dest_translated_ip string The NATed IPv4 or IPv6 address to which a packet has been sent.
All_Traffic dest_translated_port number The NATed port to which a packet has been sent.

Note: Do not translate the values of this field to strings (tcp/80 is 80, not http).
All_Traffic dest_zone string The network zone of the destination.
All_Traffic direction string The direction the packet is travelling. inbound, outbound
All_Traffic duration number The amount of time for the completion of the network event, in seconds.
All_Traffic dvc string The device that reported the traffic event. You can alias this from more specific fields, such as dvc_host, dvc_ip, or dvc_name.
All_Traffic dvc_bunit string These fields are automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for these fields when writing add-ons.
All_Traffic dvc_category string
All_Traffic dvc_ip string The ip address of the device.
All_Traffic dvc_mac string The device TCP/IP layer 2 Media Access Control (MAC) address of a packet's destination, such as 06:10:9f:eb:8f:14. Note: Always force lower case on this field and use colons instead of dashes, spaces, or no separator.
All_Traffic dvc_priority string This field is automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for this field when writing add-ons.
All_Traffic dvc_zone string The network zone of the device.
All_Traffic flow_id string Unique identifier for this traffic stream, such as a netflow, jflow, or cflow.
All_Traffic icmp_code string The RFC 2780 or RFC 4443 human-readable code value of the traffic, such as Destination Unreachable or Parameter Problem . See the ICMP Type Numbers and the ICMPv6 Type Numbers.
All_Traffic icmp_type number The RFC 2780 or RFC 4443 numeric value of the traffic. See the ICMP Type Numbers and the ICMPv6 Type Numbers. 0 to 254
All_Traffic packets number The total count of packets handled by this device/interface (packets_in + packets_out).
All_Traffic packets_in number The total count of packets received by this device/interface.
All_Traffic packets_out number The total count of packets transmitted by this device/interface.
All_Traffic protocol string The OSI layer 3 (network) protocol of the traffic observed, in lower case. For example, ip, appletalk, ipx.
All_Traffic protocol_version string Version of the OSI layer 3 protocol.
All_Traffic response_time number The amount of time it took to receive a response in the network event, if applicable.
All_Traffic rule string The rule that defines the action that was taken in the network event.

Note: This is a string value. Use a rule_id field for rule fields that are integer data types. The rule_id field is optional, so it is not included in this table.
All_Traffic session_id string The session identifier. Multiple transactions build a session.
All_Traffic src string The source of the network traffic (the client requesting the connection). You can alias this from more specific fields, such as src_host, src_ip, or src_name.
All_Traffic src_bunit string These fields are automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for these fields when writing add-ons.
All_Traffic src_category string
All_Traffic src_interface string The interface that is listening locally or sending packets remotely. Can also be referred to as the "ingress interface."
All_Traffic src_ip string The ip address of the source.
All_Traffic src_mac string The source TCP/IP layer 2 Media Access Control (MAC) address of a packet's destination, such as 06:10:9f:eb:8f:14. Note: Always force lower case on this field. Note: Always use colons instead of dashes, spaces, or no separator.
All_Traffic src_port number The source port of the network traffic.

Note: Do not translate the values of this field to strings (tcp/80 is 80, not http). You can set up the corresponding string value in the src_svc field.
All_Traffic src_priority string This field is automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for this field when writing add-ons.
All_Traffic src_translated_ip string The NATed IPv4 or IPv6 address from which a packet has been sent..
All_Traffic src_translated_port number The NATed port from which a packet has been sent.

Note: Do not translate the values of this field to strings (tcp/80 is 80, not http).
All_Traffic src_zone string The network zone of the source.
All_Traffic ssid string The 802.11 service set identifier (ssid) assigned to a wireless session.
All_Traffic tag string This automatically generated field is used to access tags from within data models. Do not define extractions for this field when writing add-ons.
All_Traffic tcp_flag string The TCP flag(s) specified in the event. Can be one or more of SYN, ACK, FIN, RST, URG, or PSH.
All_Traffic transport string The OSI layer 4 (transport) or internet layer protocol of the traffic observed, in lower case. tcp, udp, icmp
All_Traffic tos string The combination of source and destination IP ToS (type of service) values in the event.
All_Traffic ttl number The "time to live" of a packet or diagram.
All_Traffic user string The user that requested the traffic flow.
All_Traffic user_bunit string These fields are automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for these fields when writing add-ons.
All_Traffic user_category string
All_Traffic user_priority string
All_Traffic vendor_product string The vendor and product of the device generating the network event. This field can be automatically populated by vendor and product fields in your data.
All_Traffic vlan string The virtual local area network (VLAN) specified in the record.
All_Traffic wifi string The wireless standard(s) in use, such as 802.11a, 802.11b, 802.11g, or 802.11n.
PREVIOUS
Network Sessions
  NEXT
Performance

This documentation applies to the following versions of Splunk® Common Information Model Add-on: 4.4.0, 4.5.0, 4.6.0, 4.7.0, 4.8.0, 4.9.0, 4.9.1, 4.10.0, 4.11.0, 4.12.0


Comments

Nowadays firewalls and network devices are able to identify applications, so it will be usefully adding fields to the data model to reflect those capabilities like "application", "application category". The same happened with web traffic these devices can identify url and web applications.

Apezuela
October 30, 2018

Thanks, @DUThibault. I updated the description to be clearer that the data model definition does not include this field by default, but you could add it to the data model definition if needed.

Smoir splunk, Splunker
November 29, 2017

"You can set up the corresponding string value in the dest_svc field." There is no dest_svc field, anywhere in docs.splunk.com.

DUThibault
November 28, 2017

Thanks, Lakshman239. I've corrected the field descriptions for src_bunit and src_category, which are indeed populated by the ES asset and identity framework.

Rpille splunk, Splunker
May 4, 2017

On Network Traffic dataset, the All_Traffic:src_bunit, src_category and possibly src_mac should be coming from the asset tables for ES to correlate. Similar to dvc_category, dvc_bunit.

Lakshman239
May 3, 2017

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters