This documentation does not apply to the most recent version of Splunk® Common Information Model Add-on.
For documentation on the most recent version, go to the latest release.
Network Traffic
The fields in the Network Traffic data model and event category describe flows of data cross network infrastructure components. Tags used with the Network Traffic event category| Object name(s) | Tag name | Required? |
|---|---|---|
| All_Traffic | network | YES |
| All_Traffic | communicate | YES |
Fields for the Network Traffic event category
| Object name(s) | Field name | Data type | Description | Possible values |
|---|---|---|---|---|
| All_Traffic | action
|
string | The action taken by the network device. | allowed, blocked, dropped, unknown
|
| All_Traffic | app
|
string | The application protocol of the traffic. | |
| All_Traffic | bytes
|
int | Total count of bytes handled by this device/interface (bytes_in + bytes_out).
|
|
| All_Traffic | bytes_in
|
int | How many bytes this device/interface received. | |
| All_Traffic | bytes_out
|
int | How many bytes this device/interface transmitted. | |
| All_Traffic | channel
|
string | The 802.11 channel used by a wireless network. | |
| All_Traffic | dest
|
string | The destination of the network traffic (the remote host). May be aliased from more specific fields, such as dest_host, dest_ip, or dest_name.
|
|
| All_Traffic | dest_port
|
int | The destination port of the network traffic. Note: Do not translate the values of this field to strings ( tcp/80 is 80, not http). You can set up the corresponding string value in the dest_svc field.
|
|
| All_Traffic | dest_bunit
|
string | These are derived fields provided by Asset and Identity correlation features of certain advanced applications like the Splunk App for Enterprise Security. They should be left blank when writing add-ons. | |
| All_Traffic | dest_category
|
string | ||
| All_Traffic | dest_interface
|
string | The interface that is listening remotely or receiving packets locally. Can also be referred to as the "egress interface." | |
| All_Traffic | dest_mac
|
string | The destination TCP/IP layer 2 Media Access Control (MAC) address of a packet's destination, such as 06:10:9f:eb:8f:14. Note: Always force lower case on this field. Note: Always use colons instead of dashes, spaces, or no separator.
|
|
| All_Traffic | dest_translated_ip
|
string | The NATed IPv4 or IPv6 address to which a packet has been sent. | |
| All_Traffic | dest_translated_port
|
int | The NATed port to which a packet has been sent. Note: Do not translate the values of this field to strings ( tcp/80 is 80, not http).
|
|
| All_Traffic | direction
|
string | The direction the packet is travelling. | inbound, outbound, unknown
|
| All_Traffic | dvc
|
string | The device that reported the traffic event. May be aliased from more specific fields, such as dvc_host, dvc_ip, or dvc_name.
|
|
| All_Traffic | dvc_ip
|
string | ||
| All_Traffic | flow_id
|
string | Unique identifier for this traffic stream, such as a netflow, jflow, or cflow.
|
|
| All_Traffic | ip_version
|
int | The numbered Internet Protocol version. Splunk 5 or better autodetects IPv4 vs IPv6, rendering this field unnecessary.
|
4, 6
|
| All_Traffic | packets
|
int | The total count of packets handled by this device/interface (packets_in + packets_out).
|
|
| All_Traffic | packets_in
|
int | The total count of packets received by this device/interface. | |
| All_Traffic | packets_out
|
int | The total count of packets transmitted by this device/interface. | |
| All_Traffic | product
|
string | The product name of the device generating the network event, such as SSG or ASA. This field is used to automatically produce the vendor_product field used by data models.
|
|
| All_Traffic | protocol
|
string | The OSI layer 3 (network) protocol of the traffic observed, in lower case. Can be used interchangably or field-aliased with protocol, as vendors do not always distinguish these layers as separate fields.
|
ipv4, ipv6, icmp, ipsec, igmp, rip, unknown
|
| All_Traffic | rule
|
string | The rule which defines the action that was taken in the network event. Note: This is a string value. Use a rule_id field for rule fields that are integer data types (rule_id fields are optional, so they are not included in this table).
|
|
| All_Traffic | session_id
|
string | The session identifier. Multiple transactions build a session. | |
| All_Traffic | src
|
string | The source of the network traffic (the client requesting the connection). May be aliased from more specific fields, such as src_host, src_ip, or src_name.
|
|
| All_Traffic | src_interface
|
string | The interface that is listening locally or sending packets remotely. Can also be referred to as the "ingress interface." | |
| All_Traffic | src_mac
|
string | The source TCP/IP layer 2 Media Access Control (MAC) address of a packet's destination, such as 06:10:9f:eb:8f:14. Note: Always force lower case on this field. Note: Always use colons instead of dashes, spaces, or no separator.
|
|
| All_Traffic | src_port
|
int | The source port of the network traffic. Note: Do not translate the values of this field to strings ( tcp/80 is 80, not http). You can set up the corresponding string value in the src_svc field.
|
|
src_svc
|
string | The service indicated by the source port of the network traffic, as translated from src_port. For instance, if your src_port value is 80, the corresponding src_svc value is http.Note: Always force lower case. |
||
src_tos
|
int | The hex bit that specifies TCP ToS or "type of service" (see http://en.wikipedia.org/wiki/Type_of_Service) for the event's source. See also the tos field in this table.
|
0, 1, 2, 3, 4, 5, 6, or 7
| |
| All_Traffic | src_translated_ip
|
string | The NATed IPv4 or IPv6 address from which a packet has been sent.. | |
| All_Traffic | src_translated_port
|
int | The NATed port from which a packet has been sent. Note: Do not translate the values of this field to strings ( tcp/80 is 80, not http).
|
|
| All_Traffic | ssid
|
string | The 802.11 service set identifier (ssid) assigned to a wireless session. | |
| All_Traffic | tcp_flag
|
string | The TCP flag(s) specified in the event. | Can be one or more of SYN, ACK, FIN, RST, URG, or PSH.
|
| All_Traffic | transport
|
string | The OSI layer 4 (transport) protocol of the traffic observed, in lower case. May be used interchangably or field-aliased with transport as vendors do not always distinguish these layers as separate fields. | tcp, udp, unknown
|
| All_Traffic | tos
|
string | The combination of source and destination IP ToS (type of service) values in the event. See the entries for dest_tos and src_tos in this table.
|
|
| All_Traffic | ttl
|
int | The "time to live" of a packet or diagram. | |
| All_Traffic | user
|
string | The user that requested the traffic flow. | |
wifi_tech
|
MV string | The wireless standard(s) in use, such as 802.11a, 802.11b, 802.11g, or 802.11n.
|
||
| All_Traffic | vendor
|
string | The vendor technology of the device generating the network event, such as Juniper or Cisco. This field is used to automatically produce the vendor_product field used by data models.
|
|
vlan_id
|
int | The numeric identifier assigned to the virtual local area network (VLAN) specified in the record. | ||
| All_Traffic | vlan_name
|
string | The name assigned to the virtual local area network (VLAN) specified in the record. | |
Last modified on 29 April, 2014
| Network Sessions | Performance |
This documentation applies to the following versions of Splunk® Common Information Model Add-on: 3.0, 3.0.1, 3.0.2
Download manual
Feedback submitted, thanks!