Splunk® Common Information Model Add-on

Common Information Model Add-on Manual

Download manual as PDF

This documentation does not apply to the most recent version of CIM. Click here for the latest version.
Download topic as PDF

Network Traffic

The fields in the Network Traffic data model describe flows of data across network infrastructure components.

Tags used with Network Traffic event objects

Object name Tag name
All_Traffic network
communicate

Fields for Network Traffic event objects

Object name Field name Data type Description Possible values
All_Traffic action string The action taken by the network device. allowed, blocked, dropped, unknown
All_Traffic app string The application protocol of the traffic.
All_Traffic bytes number Total count of bytes handled by this device/interface (bytes_in + bytes_out).
All_Traffic bytes_in number How many bytes this device/interface received.
All_Traffic bytes_out number How many bytes this device/interface transmitted.
All_Traffic channel number The 802.11 channel used by a wireless network.
All_Traffic dest string The destination of the network traffic (the remote host). May be aliased from more specific fields, such as dest_host, dest_ip, or dest_name.
All_Traffic dest_bunit string These are derived fields provided by Asset and Identity correlation features of certain advanced applications like the Splunk App for Enterprise Security. They should be left blank when writing add-ons.
All_Traffic dest_category string
All_Traffic dest_interface string The interface that is listening remotely or receiving packets locally. Can also be referred to as the "egress interface."
All_Traffic dest_ip string The IP address of the destination.
All_Traffic dest_mac string The destination TCP/IP layer 2 Media Access Control (MAC) address of a packet's destination, such as 06:10:9f:eb:8f:14. Note: Always force lower case on this field. Note: Always use colons instead of dashes, spaces, or no separator.
All_Traffic dest_port number The destination port of the network traffic.

Note: Do not translate the values of this field to strings (tcp/80 is 80, not http). You can set up the corresponding string value in the dest_svc field.
All_Traffic dest_priority string The destination priority, if applicable.
All_Traffic dest_translated_ip string The NATed IPv4 or IPv6 address to which a packet has been sent.
All_Traffic dest_translated_port number The NATed port to which a packet has been sent.

Note: Do not translate the values of this field to strings (tcp/80 is 80, not http).
All_Traffic direction string The direction the packet is travelling. inbound, outbound, unknown
All_Traffic dvc string The device that reported the traffic event. May be aliased from more specific fields, such as dvc_host, dvc_ip, or dvc_name.
All_Traffic dvc_bunit string These are derived fields provided by Asset and Identity correlation features of certain advanced applications like the Splunk App for Enterprise Security. They should be left blank when writing add-ons.
All_Traffic dvc_category string
All_Traffic dvc_ip string
All_Traffic dvc_mac string
All_Traffic dvc_priority string
All_Traffic flow_id string Unique identifier for this traffic stream, such as a netflow, jflow, or cflow.
All_Traffic icmp_code string The RFC 2780 or RFC 4443 human-readable code value of the traffic, such as Destination Unreachable or Parameter Problem . See the IMCP Type Numbers and the IMCPv6 Type Numbers.
All_Traffic icmp_type number The RFC 2780 or RFC 4443 numeric value of the traffic. See the IMCP Type Numbers and the IMCPv6 Type Numbers. 0 to 254
All_Traffic ip_version number The numbered Internet Protocol version. Splunk 5 or better autodetects IPv4 vs IPv6, rendering this field unnecessary. 4, 6
All_Traffic packets number The total count of packets handled by this device/interface (packets_in + packets_out).
All_Traffic packets_in number The total count of packets received by this device/interface.
All_Traffic packets_out number The total count of packets transmitted by this device/interface.
All_Traffic protocol string The OSI layer 3 (network) protocol of the traffic observed, in lower case. ipv4, ipv6, icmp, ipsec, igmp, rip, unknown
All_Traffic rule string The rule which defines the action that was taken in the network event.

Note: This is a string value. Use a rule_id field for rule fields that are integer data types (rule_id fields are optional, so they are not included in this table).
All_Traffic session_id string The session identifier. Multiple transactions build a session.
All_Traffic src string The source of the network traffic (the client requesting the connection). May be aliased from more specific fields, such as src_host, src_ip, or src_name.
All_Traffic src_category string The category of the network traffic source.
All_Traffic src_interface string The interface that is listening locally or sending packets remotely. Can also be referred to as the "ingress interface."
All_Traffic src_ip string The ip address of the source.
All_Traffic src_mac string The source TCP/IP layer 2 Media Access Control (MAC) address of a packet's destination, such as 06:10:9f:eb:8f:14. Note: Always force lower case on this field. Note: Always use colons instead of dashes, spaces, or no separator.
All_Traffic src_port number The source port of the network traffic.

Note: Do not translate the values of this field to strings (tcp/80 is 80, not http). You can set up the corresponding string value in the src_svc field.
All_Traffic src_priority number The priority of the source, if applicable.
All_Traffic src_translated_ip string The NATed IPv4 or IPv6 address from which a packet has been sent..
All_Traffic src_translated_port number The NATed port from which a packet has been sent.

Note: Do not translate the values of this field to strings (tcp/80 is 80, not http).
All_Traffic ssid string The 802.11 service set identifier (ssid) assigned to a wireless session.
All_Traffic tag string The tag associated with the traffic.
All_Traffic tcp_flag string The TCP flag(s) specified in the event. Can be one or more of SYN, ACK, FIN, RST, URG, or PSH.
All_Traffic transport string The OSI layer 4 (transport) or internet layer protocol of the traffic observed, in lower case. tcp, udp, icmp, unknown
All_Traffic tos string The combination of source and destination IP ToS (type of service) values in the event.
All_Traffic ttl number The "time to live" of a packet or diagram.
All_Traffic user string The user that requested the traffic flow.
All_Traffic user_bunit string These are derived fields provided by Asset and Identity correlation features of certain advanced applications like the Splunk App for Enterprise Security. They should be left blank when writing add-ons.
All_Traffic user_category string
All_Traffic user_priority string
All_Traffic vendor_product string The vendor technology of the device generating the network event, such as Juniper or Cisco.
All_Traffic vlan string The virtual local area network (VLAN) specified in the record.
All_Traffic wifi string The wireless standard(s) in use, such as 802.11a, 802.11b, 802.11g, or 802.11n.
PREVIOUS
Network Sessions
  NEXT
Performance

This documentation applies to the following versions of Splunk® Common Information Model Add-on: 4.0.0


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters