This documentation does not apply to the most recent version of Splunk® Common Information Model Add-on.
For documentation on the most recent version, go to the latest release.
Network Traffic
The fields in the Network Traffic data model describe flows of data across network infrastructure components.
Tags used with Network Traffic event objects
| Object name | Tag name |
|---|---|
| All_Traffic | network |
| communicate |
Fields for Network Traffic event objects
| Object name | Field name | Data type | Description | Possible values |
|---|---|---|---|---|
| All_Traffic | action
|
string | The action taken by the network device. | allowed, blocked, dropped, unknown
|
| All_Traffic | app
|
string | The application protocol of the traffic. | |
| All_Traffic | bytes
|
number | Total count of bytes handled by this device/interface (bytes_in + bytes_out).
|
|
| All_Traffic | bytes_in
|
number | How many bytes this device/interface received. | |
| All_Traffic | bytes_out
|
number | How many bytes this device/interface transmitted. | |
| All_Traffic | channel
|
number | The 802.11 channel used by a wireless network. | |
| All_Traffic | dest
|
string | The destination of the network traffic (the remote host). May be aliased from more specific fields, such as dest_host, dest_ip, or dest_name.
|
|
| All_Traffic | dest_bunit
|
string | These are derived fields provided by Asset and Identity correlation features of certain advanced applications like the Splunk App for Enterprise Security. They should be left blank when writing add-ons. | |
| All_Traffic | dest_category
|
string | ||
| All_Traffic | dest_interface
|
string | The interface that is listening remotely or receiving packets locally. Can also be referred to as the "egress interface." | |
| All_Traffic | dest_ip
|
string | The IP address of the destination. | |
| All_Traffic | dest_mac
|
string | The destination TCP/IP layer 2 Media Access Control (MAC) address of a packet's destination, such as 06:10:9f:eb:8f:14. Note: Always force lower case on this field. Note: Always use colons instead of dashes, spaces, or no separator.
|
|
| All_Traffic | dest_port
|
number | The destination port of the network traffic. Note: Do not translate the values of this field to strings ( tcp/80 is 80, not http). You can set up the corresponding string value in the dest_svc field.
|
|
| All_Traffic | dest_priority
|
string | The destination priority, if applicable. | |
| All_Traffic | dest_translated_ip
|
string | The NATed IPv4 or IPv6 address to which a packet has been sent. | |
| All_Traffic | dest_translated_port
|
number | The NATed port to which a packet has been sent. Note: Do not translate the values of this field to strings ( tcp/80 is 80, not http).
|
|
| All_Traffic | direction
|
string | The direction the packet is travelling. | inbound, outbound, unknown
|
| All_Traffic | dvc
|
string | The device that reported the traffic event. May be aliased from more specific fields, such as dvc_host, dvc_ip, or dvc_name.
|
|
| All_Traffic | dvc_bunit
|
string | These are derived fields provided by Asset and Identity correlation features of certain advanced applications like the Splunk App for Enterprise Security. They should be left blank when writing add-ons. | |
| All_Traffic | dvc_category
|
string | ||
| All_Traffic | dvc_ip
|
string | ||
| All_Traffic | dvc_mac
|
string | ||
| All_Traffic | dvc_priority
|
string | ||
| All_Traffic | flow_id
|
string | Unique identifier for this traffic stream, such as a netflow, jflow, or cflow.
|
|
| All_Traffic | icmp_code
|
string | The RFC 2780 or RFC 4443 human-readable code value of the traffic, such as Destination Unreachable or Parameter Problem . See the IMCP Type Numbers and the IMCPv6 Type Numbers.
|
|
| All_Traffic | icmp_type
|
number | The RFC 2780 or RFC 4443 numeric value of the traffic. See the IMCP Type Numbers and the IMCPv6 Type Numbers. | 0 to 254
|
| All_Traffic | ip_version
|
number | The numbered Internet Protocol version. Splunk 5 or better autodetects IPv4 vs IPv6, rendering this field unnecessary.
|
4, 6
|
| All_Traffic | packets
|
number | The total count of packets handled by this device/interface (packets_in + packets_out).
|
|
| All_Traffic | packets_in
|
number | The total count of packets received by this device/interface. | |
| All_Traffic | packets_out
|
number | The total count of packets transmitted by this device/interface. | |
| All_Traffic | protocol
|
string | The OSI layer 3 (network) protocol of the traffic observed, in lower case. | ipv4, ipv6, icmp, ipsec, igmp, rip, unknown
|
| All_Traffic | rule
|
string | The rule which defines the action that was taken in the network event. Note: This is a string value. Use a rule_id field for rule fields that are integer data types (rule_id fields are optional, so they are not included in this table).
|
|
| All_Traffic | session_id
|
string | The session identifier. Multiple transactions build a session. | |
| All_Traffic | src
|
string | The source of the network traffic (the client requesting the connection). May be aliased from more specific fields, such as src_host, src_ip, or src_name.
|
|
| All_Traffic | src_category
|
string | The category of the network traffic source. | |
| All_Traffic | src_interface
|
string | The interface that is listening locally or sending packets remotely. Can also be referred to as the "ingress interface." | |
| All_Traffic | src_ip
|
string | The ip address of the source. | |
| All_Traffic | src_mac
|
string | The source TCP/IP layer 2 Media Access Control (MAC) address of a packet's destination, such as 06:10:9f:eb:8f:14. Note: Always force lower case on this field. Note: Always use colons instead of dashes, spaces, or no separator.
|
|
| All_Traffic | src_port
|
number | The source port of the network traffic. Note: Do not translate the values of this field to strings ( tcp/80 is 80, not http). You can set up the corresponding string value in the src_svc field.
|
|
| All_Traffic | src_priority
|
number | The priority of the source, if applicable. | |
| All_Traffic | src_translated_ip
|
string | The NATed IPv4 or IPv6 address from which a packet has been sent.. | |
| All_Traffic | src_translated_port
|
number | The NATed port from which a packet has been sent. Note: Do not translate the values of this field to strings ( tcp/80 is 80, not http).
|
|
| All_Traffic | ssid
|
string | The 802.11 service set identifier (ssid) assigned to a wireless session. | |
| All_Traffic | tag
|
string | The tag associated with the traffic. | |
| All_Traffic | tcp_flag
|
string | The TCP flag(s) specified in the event. | Can be one or more of SYN, ACK, FIN, RST, URG, or PSH.
|
| All_Traffic | transport
|
string | The OSI layer 4 (transport) or internet layer protocol of the traffic observed, in lower case. | tcp, udp, icmp, unknown
|
| All_Traffic | tos
|
string | The combination of source and destination IP ToS (type of service) values in the event. | |
| All_Traffic | ttl
|
number | The "time to live" of a packet or diagram. | |
| All_Traffic | user
|
string | The user that requested the traffic flow. | |
| All_Traffic | user_bunit
|
string | These are derived fields provided by Asset and Identity correlation features of certain advanced applications like the Splunk App for Enterprise Security. They should be left blank when writing add-ons. | |
| All_Traffic | user_category
|
string | ||
| All_Traffic | user_priority
|
string | ||
| All_Traffic | vendor_product
|
string | The vendor technology of the device generating the network event, such as Juniper or Cisco.
|
|
| All_Traffic | vlan
|
string | The virtual local area network (VLAN) specified in the record. | |
| All_Traffic | wifi
|
string | The wireless standard(s) in use, such as 802.11a, 802.11b, 802.11g, or 802.11n.
|
|
Last modified on 02 December, 2016
| Network Sessions | Performance |
This documentation applies to the following versions of Splunk® Common Information Model Add-on: 4.0.0
Download manual
Feedback submitted, thanks!