Simple Transport
Splunk App for Stream supports capture of these Simple Transport protocols on Linux, Mac, and Windows. For more information see Configure Streams in the Splunk App for Stream User Manual.
TCP
Transmission Control Protocol RFC 793
Name | Description | Term |
---|---|---|
src_ip | Client IP Address | flow.c-ip |
dest_ip | Server IP Address | flow.s-ip |
src_port | Client port number | flow.c-port |
dest_port | Server port number | flow.s-port |
src_mac | Client packets MAC address in hexadecimal format | flow.c-mac |
dest_mac | Server packets MAC address in hexadecimal format | flow.s-mac |
packets_in | The total number of packets sent from client to server | flow.cs-packets |
packets_out | The total number of packets sent from server to client | flow.sc-packets |
ack_packets_in | The number of acknowledgement packets sent from client to server | flow.cs-ack-packets |
ack_packets_out | The number of acknowledgement packets sent from server to client | flow.sc-ack-packets |
missing_packets_in | The number of missing packet gaps detected within the request | flow.cs-missing-packets |
missing_packets_out | The number of missing packet gaps detected within the response | flow.sc-missing-packets |
duplicate_packets_in | The number of duplicate packets sent from client to server | flow.cs-duplicate-packets |
duplicate_packets_out | The number of duplicate packets sent from server to client | flow.sc-duplicate-packets |
data_packets_in | The number of data packets sent from client to server | flow.cs-data-packets |
data_packets_out | The number of data packets sent from server to client | flow.sc-data-packets |
bytes_in | The number of bytes sent from client to server | flow.cs-bytes |
bytes_out | The number of bytes sent from server to client | flow.sc-bytes |
bytes | The total number of bytes transferred | flow.bytes |
time_taken | Number of microseconds that it took to complete a flow event, from the end user's perspective | flow.time-taken |
request_time | Number of microseconds that it took the client to send a request | flow.cs-send-time |
request_ack_time | Number of microseconds that it took the server to acknowledge receipt of the request | flow.cs-ack-time |
reply_time | Number of microseconds that it took the server to start replying to a request | flow.sc-reply-time |
response_time | Number of microseconds that it took the server to send a response | flow.sc-send-time |
response_ack_time | Number of microseconds that it took the client to acknowledge receipt of the response | flow.sc-ack-time |
ssl_time | Number of microseconds that it took to negotiate an SSL handshake | flow.ssl-time |
ssl_version | SSL protocol version used for encryption, or undefined if not encrypted | flow.ssl-version |
ssl_session_id | SSL session id | flow.ssl-session-id |
ssl_cert_md5 | md5 of SSL certificate | flow.ssl-cert-md5 |
ssl_commonname | Common name with domain name of subject in SSL certificate | flow.ssl-cert-subject-commonname |
ssl_orgname | Organization name of subject in SSL certificate | flow.ssl-cert-subject-orgname |
ssl_issuer | Organization name of issuer in SSL certificate | flow.ssl-cert-issuer-orgname |
ssl_serialnumber | Serial number of SSL certificate | flow.ssl-cert-serialnumber |
ssl_validity_end | SSL certifiate's validity end date | flow.ssl-cert-validity-not-after |
ssl_validity_start | SSL certifiate's validity start date | flow.ssl-cert-validity-not-before |
data_center_time | Number of microseconds from the last request packet to the last response packet | flow.data-center-time |
client_rtt | Average round trip time in microseconds from the client to the point of capture | flow.cp-rtt |
server_rtt | Average round trip time in microseconds from the server to the point of capture | flow.ps-rtt |
client_rtt_sum | Sum of all round trip time measurements from the client to the point of capture | flow.cp-rtt-sum |
server_rtt_sum | Sum of all round trip time measurements from the server to the point of capture | flow.ps-rtt-sum |
client_rtt_packets | Number of round trip measurements from the client to the point of capture | flow.cp-rtt-packets |
server_rtt_packets | Number of round trip measurements from the server to the point of capture | flow.ps-rtt-packets |
refused | Number of requests that were refused by the server | flow.refused |
canceled | Number of HTTP responses that were canceled early by the client | flow.canceled |
connection | TCP session server endpoint (IP address and TCP port) | flow.connection |
tcp_status | TCP handshake status (0=OK, 1=RESET, 2=IGNORED) | flow.tcp-status |
protocol | Level 7 protocol name (http, ftp, etc.) | flow.protocol |
transport | Transport layer protocol (udp or tcp) | flow.transport |
UDP
User Datagram Protocol RFC 768
Name | Description | Term |
---|---|---|
src_ip | Client IP Address | flow.c-ip |
dest_ip | Server IP Address | flow.s-ip |
src_port | Client port number | flow.c-port |
dest_port | Server port number | flow.s-port |
src_mac | Client packets MAC address in hexadecimal format | flow.c-mac |
dest_mac | Server packets MAC address in hexadecimal format | flow.s-mac |
packets_in | The total number of packets sent from client to server | flow.cs-packets |
packets_out | The total number of packets sent from server to client | flow.sc-packets |
bytes_in | The number of bytes sent from client to server | flow.cs-bytes |
bytes_out | The number of bytes sent from server to client | flow.sc-bytes |
bytes | The total number of bytes transferred | flow.bytes |
time_taken | Number of microseconds that it took to complete a flow event, from the end user's perspective | flow.time-taken |
protocol | Level 7 protocol name (http, ftp, etc.) | flow.protocol |
transport | Transport layer protocol (udp or tcp) | flow.transport |
Messaging | VoIP |
This documentation applies to the following versions of Splunk Stream™: 6.5.0, 6.5.1
Feedback submitted, thanks!