This documentation does not apply to the most recent version of Splunk Stream™.
For documentation on the most recent version, go to the latest release.
Flow Protocols
NetFlow
| Name | Description | Term |
|---|---|---|
| event_name | Name of event | flow.event-name |
| netflow_version | Netflow Version | netflow.version |
| seqnumber | Netflow sequence number | netflow.flow-sequence |
| num_flows | Netflow number of flows | netflow.num-flows |
| exporter_ip | IP address of device that generated flow | netflow.exporterIPAddress |
| src_ip | Source address of flow | flow.c-ip |
| dest_ip | Destination address of flow | flow.s-ip |
| src_port | Source port number of flow | flow.c-port |
| dest_port | Destination port number of flow | flow.s-port |
| dest_mac | Server packets MAC address in hexadecimal format | flow.s-mac |
| src_mac | Client packets MAC address in hexadecimal format | flow.c-mac |
| protoid | IP protocol type | ip.protoid |
| tos | Type of Service | ip.tos |
| bytes | Total number of Layer 3 bytes in the flow | netflow.bytes |
| packets | Total number of packets in the flow | flow.packets |
| time_taken | Duration of flow | flow.time-taken |
| tcp_flags | Cumulative OR of TCP flags for this flow | netflow.tcp-flags |
| src_sysnum | System number of source for this flow | netflow.c-sysnum |
| dest_sysnum | System number of destination for this flow | netflow.s-sysnum |
| name | desc | netflow.input-snmpidx |
| event_name | Name of event | netflow.output-snmpidx |
| netflow_version | Netflow Version | netflow.bgp-nexthop-address |
| name | desc | netflow.multicast-out-packets |
| event_name | Name of event | netflow.multicast-out-bytes |
| netflow_version | Netflow Version | netflow.sc-bytes |
| seqnumber | Netflow sequence number | netflow.sc-packets |
| num_flows | Netflow number of flows | netflow.cs-packets |
| exporter_ip | IP address of device that generated flow | netflow.cs-bytes |
| src_ip | Source address of flow | netflow.src-mask |
| dest_ip | Destination address of flow | netflow.dest-mask |
| src_port | Source port number of flow | flow.ipv6-flow-label |
| dest_port | Destination port number of flow | netflow.mpls-top-label-type |
| dest_mac | Server packets MAC address in hexadecimal format | netflow.mplsTopLabelIPAddress |
| src_mac | Client packets MAC address in hexadecimal format | netflow.selectorId |
| protoid | IP protocol type | netflow.selectorAlgorithm |
| tos | Type of Service | netflow.samplingPacketInterval |
| bytes | Total number of Layer 3 bytes in the flow | netflow-min-ttl |
| packets | Total number of packets in the flow | netflow-max-ttl |
| time_taken | Duration of flow | ip.id |
| tcp_flags | Cumulative OR of TCP flags for this flow | netflow.post-dest-mac |
| src_sysnum | System number of source for this flow | netflow.src-vlan |
| dest_sysnum | System number of destination for this flow | netflow.dest-vlan |
| name | desc | ip.version |
| event_name | Name of event | flow.direction |
| netflow_version | Netflow Version | netflow.nexthop-address |
| name | desc | netflow.post-src-mac |
| event_name | Name of event | netflow.if-name |
| netflow_version | Netflow Version | netflow.perm-bytes |
| seqnumber | Netflow sequence number | netflow.perm-packets |
| num_flows | Netflow number of flows | netflow.forward-status |
| exporter_ip | IP address of device that generated flow | netflow.app-tag |
| app | Specifies the name of an application | netflow.app-name |
| drop_octet_count | Number of octets since the previous report (if any) of this Flow dropped by packet treatment | netflow.droppedOctetDeltaCount |
| drop_packet_count | Number of packets since the previous report (if any) of this Flow dropped by packet treatment | netflow.droppedPacketDeltaCount |
| drop_octet_total_count | Number of octets of this Flow dropped by packet treatment | netflow.droppedOctetTotalCount |
| drop_pkt_total_count | Number of packets of this Flow dropped by packet treatment | netflow.droppedPacketTotalCount |
| flow_end_reason | Reason for Flow termination | flow.end-reason |
| observation_point_id | Identifier of an Observation Point that is unique per Observation Domain | netflow.observationPointId |
| linecard_id | Identifier of a line card that is unique per IPFIX Device hosting an Observation Point | netflow.lineCardId |
| port_id | Identifier of line port that is unique per IPFIX Device hosting an Observation Point | netflow.portId |
| metering_process_id | Identifier of a Metering Process that is unique per IPFIX Device | netflow.meteringProcessId |
| export_process_id | Identifier of an Exporting Process that is unique per IPFIX Device | netflow.exportingProcessId |
| template_id | Identifier of a Template that is locally unique within a combination of a Transport session and an Observation Domain | netflow.templateId |
| channel | Identifier of the 802.11 (Wi-Fi) channel | netflow.wlanChannelId |
| ssid | Service Set Identifier of 802.11 (Wi-Fi) network | netflow.wlanSSID |
| flow_id | Identifier of a Flow that is unique within an Observation Domain | netflow.flowId |
| observation_domain_id | Identifier of Observation Domain that is locally unique to an Exporting Process | netflow.observationDomainId |
| flow_start_time | The absolute timestamp of the first packet of this Flow | time.epoch-time |
| flow_end_time | The absolute timestamp of the last packet of this Flow. | time.epoch-time-end |
| flow_start_time_milli | The absolute timestamp of the first packet of this Flow | netflow.flowStartMilliseconds |
| flow_end_time_milli | The absolute timestamp of the last packet of this Flow. | netflow.flowEndMilliseconds |
| flow_start_time_micro | The absolute timestamp of the first packet of this Flow | netflow.flowStartMicroseconds |
| flow_end_time_micro | The absolute timestamp of the last packet of this Flow. | netflow.flowEndMicroseconds |
| flow_start_time_nano | The absolute timestamp of the first packet of this Flow | netflow.flowStartNanoseconds |
| flow_end_time_nano | The absolute timestamp of the last packet of this Flow. | netflow.flowEndNanoseconds |
| sys_init_time_milli | The absolute timestamp of the last (re-)initialization of the IPFIX Device. | netflow.systemInitTimeMilliseconds |
| flow_duration_milli | The difference in time between the first observed packet of this Flow and the last observed packet of this Flow | netflow.flowDurationMilliseconds |
| flow_duration_micro | The difference in time between the first observed packet of this Flow and the last observed packet of this Flow. | netflow.flowDurationMicroseconds |
| obsv_flow_count | Total number of Flows observed in the Observation Domain since the Metering Process (re-)initialization | netflow.observedFlowTotalCount |
| ignored_pkt_count | Total number of observed IP packets that the Metering Process did not process since the Metering Process (re-)initialization | netflow.ignoredPacketTotalCount |
| ignored_octet_count | Total number of octets that the Metering Process did not process since the Metering Process (re-)initialization | netflow.ignoredOctetTotalCount |
| not_sent_flow_count | Total number of Flow Records dropped by the Metering Process or by the Exporting Process instead of being sent to the Collecting Process | netflow.notSentFlowTotalCount |
| not_sent_pkt_count | Total number of packets dropped by the Metering Process or by the Exporting Process instead of being sent to the Collecting Process | netflow.notSentPacketTotalCount |
| not_sent_octet_count | Total number of octets dropped by the Metering Process or by the Exporting Process instead of being sent to the Collecting Process | netflow.notSentOctetTotalCount |
| src_ip_prefix | Source address prefix | netflow.sourceIPPrefix |
| dest_ip_prefix | Destination address prefix | netflow.destinationIPPrefix |
| post_octet_count | Modified total octet count caused by a middlebox function after the packet passed the Observation Point. | netflow.postOctetTotalCount |
| post_pkt_count | Modified total packet count caused by a middlebox function after the packet passed the Observation Point. | netflow.postPacketTotalCount |
| tcp_seq_num | The sequence number in the TCP header | netflow.tcpSequenceNumber |
| tcp_ack_num | The acknowledgement number in the TCP header | netflow.tcpAcknowledgementNumber |
| tcp_win_size | The window field in the TCP header | netflow.tcpWindowSize |
| ip_frag_flags | Fragmentation properties indicated by flags | ip.fragment-flags |
| tcp_total_syn_count | Number of packets of this Flow with TCP SYN flag set | netflow.tcpSynTotalCount |
| tcp_total_fin_count | Number of packets of this Flow with TCP FIN flag set | netflow.tcpFinTotalCount |
| tcp_total_rst_count | Number of packets of this Flow with TCP RST flag set | netflow.tcpRstTotalCount |
| tcp_total_psh_count | Number of packets of this Flow with TCP PSH flag set | netflow.tcpPshTotalCount |
| tcp_total_ack_count | Number of packets of this Flow with TCP ACK flag set | netflow.tcpAckTotalCount |
| tcp_total_urg_count | Number of packets of this Flow with TCP URG flag set | netflow.tcpUrgTotalCount |
| nat_event | Indicates a NAT event | netflow.natEvent |
| multicast_flags | Flags to indicate multicast | netflow.isMulticast |
| firewall_event | Indicates a firewall event | netflow.firewallEvent |
| tcp_window_scale | The scale of the window field in the TCP header | netflow.tcpWindowScale |
| ingress_interface | Networking device's physical interface (example, a switch port) where packets of this flow are being received | netflow.ingressPhysicalInterface |
| egress_interface | Networking device's physical interface (example, a switch port) where packets of this flow are being sent | netflow.egressPhysicalInterface |
| msg_md5_chksum | MD5 checksum of the IPFIX Message containing this record | netflow.messageMD5Checksum |
| txn_id | Identifies a transaction within a connection | netflow.connectionTransactionId |
| is_p2p | Specifies if Application ID is based on peer-to-peer technology | netflow.p2pTechnology |
| is_tunnel | Specifies if Application ID is used as a tunnel technology | netflow.tunnelTechnology |
| is_encrypted | Specifies if Application ID is an encrypted networking protocol | netflow.encryptedTechnology |
| ipsec_spi | IPSec Security Parameters Index (SPI) | netflow.IPSecSPI |
| gre_key | GRE key, identifying an individual traffic flow within a tunnel | netflow.greKey |
| nat_type | Type of NAT treatment | netflow.natType |
| selector_name | Name of a selector identified by a selectorID | netflow.selectorName |
| virtual_station_itf_id | Instance Identifier of the interface to a Virtual Station | netflow.virtualStationInterfaceId |
| virtual_station_itf_name | Name of the interface to a Virtual Station | netflow.virtualStationInterfaceName |
| virtual_station_uuid | Unique Identifier of a Virtual Station | netflow.virtualStationUUID |
| virtual_station_name | Name of a Virtual Station | netflow.virtualStationName |
| layer2_segment_id | Identifier of a layer 2 network segment in an overlay network | netflow.layer2SegmentId |
| ingress_unicast_pkt_count | Total number of incoming unicast packets | netflow.ingressUnicastPacketTotalCount |
| ingress_multicast_pkt_count | Total number of incoming multicast packets | netflow.ingressMulticastPacketTotalCount |
| ingress_broadcast_pkt_count | Total number of incoming broadcast packets | netflow.ingressBroadcastPacketTotalCount |
| egress_unicast_pkt_count | Total number of outgoing unicast packets | netflow.egressUnicastPacketTotalCount |
| egress_broadcast_pkt_count | Total number of outgoing unicast packets | netflow.egressBroadcastPacketTotalCount |
| sta_mac_addr | IEEE 802 MAC address of a wireless station (STA). | netflow.staMacAddress |
| sta_ip_addr | IP address of a wireless station | netflow.staIPAddress |
| wtp_mac_addr | IEEE 802 MAC address of a wireless access point | netflow.wtpMacAddress |
| ingress_itf_type | Type of interface where packets of this Flow are being received | netflow.ingressInterfaceType |
| egress_itf_type | Type of interface where packets of this Flow are being sent | netflow.egressInterfaceType |
| user_name | User name associated with the flow | netflow.userName |
| netflow_elements | Key Value pairs | netflow.elements |
sFlow
| Name | Description | Term |
|---|---|---|
| sflow_version | sFlow Version | sflow.version |
| seqnumber | sFlow sequence number | sflow.flow-sequence |
| exporter_ip | IP address of device that generated flow | netflow.exporterIPAddress |
| src_ip | Source address of flow | flow.c-ip |
| dest_ip | Destination address of flow | flow.s-ip |
| src_port | Source port number of flow | flow.c-port |
| dest_port | Destination port number of flow | flow.s-port |
| dest_mac | Server packets MAC address in hexadecimal format | flow.s-mac |
| src_mac | Client packets MAC address in hexadecimal format | flow.c-mac |
| protoid | IP protocol type | ip.protoid |
| ip_len | Length of the IP packet | ip.packet-len |
| tcp_flags | Cumulative OR of TCP flags for this flow | netflow.tcp-flags |
| tos | Type of Service | ip.tos |
| packets | Total number of packets in the flow | flow.packets |
| time_taken | Duration of flow | flow.time-taken |
| src_sysnum | System number of source for this flow | netflow.c-sysnum |
| dest_sysnum | System number of destination for this flow | netflow.s-sysnum |
| input_snmpidx | SNMP index of input interface for this flow | netflow.input-snmpidx |
| output_snmpidx | SNMP index of output interface for this flow | netflow.output-snmpidx |
| sflow_sampling_rate | sFlow sampling rate | sflow.sampling-rate |
| sflow_sample_pool | Number of packets sampled | sflow.sample-pool |
| sflow_dropped_pkts | Dropped packets | sflow.dropped-pkts |
| sflow_input_itf_index | Interface packet was received on | sflow.input-interface-index |
| sflow_output_itf_index | Interface packet was sent on | sflow.output-interface-index |
| sflow_header_protocol | sFlow raw packet header protocol | sflow.header-protocol |
| orig_frame_len | sFlow Original length of packet before sampling | sflow.frame-length |
| stripped_octets | Number of octets removed | sflow.stripped-octets |
| ethernet_pkt_type | Ethernet packet type | sflow.ethernet-packet-type |
| interface_name | Name of network interface | flow.interface-name |
| interface_index | Network interface index | flow.interface-index |
| interface_type | Network interface type | flow.interface-type |
| interface_speed | Network interface speed | flow.interface-speed |
| interface_direction | Interface Direction | flow.interface-direction |
| interface_status | Interface status | flow.interface-status |
| interface_input_octets | Interface input octets | flow.interface-input-octets |
| interface_input_pkts | Interface input packets | flow.interface-input-pkts |
| interface_input_multi_pkts | Interface multicast packets | flow.interface-input-multi-pkts |
| interface_input_broad_pkts | Interface broadcast packets | flow.interface-input-broad-pkts |
| interface_input_discard_pkts | Interface discarded packets | flow.interface-input-discard-pkts |
| interface_input_errors | Interface input errors | flow.interface-input-errors |
| interface_input_unk_proto_pkts | Interface input unknown protocol packets | flow.interface-input-unk-protos |
| interface_output_octets | Interface output octets | flow.interface-output-octets |
| interface_output_pkts | Interface output packets | flow.interface-output-pkts |
| interface_output_multi_pkts | Interface multicast packets | flow.interface-output-multi-pkts |
| interface_output_broad_pkts | Interface broadcast packets | flow.interface-output-broad-pkts |
| interface_output_discard_pkts | Interface discarded packets | flow.interface-output-discard-pkts |
| interface_output_errors | Interface output errors | flow.interface-output-errors |
| interface_promiscuous_mode | Interface promiscuous mode | flow.interface-promiscuous |
| dot3_stats_alignment_errs | Frames received that are not an integral number of octets in length and do not pass the FCS check | sflow.dot3StatsAlignmentErrors |
| dot3_stats_fcs_errs | Frames received that are an integral number of octets in length but do not pass the FCS check | sflow.dot3StatsFCSErrors |
| dot3_stats_single_collision_frames | Count of transmitted frames on a particular interface for which transmission is inhibited by exactly one collision | sflow.dot3StatsSingleCollisionFrames |
| dot3_stats_multi_collision_frames | Count of transmitted frames on a particular interface for which transmission is inhibited by more than one collision | sflow.dot3StatsMultipleCollisionFrames |
| dot3_stats_sqe_test_errors | Count of times that the SQE TEST ERROR message is generated by the PLS sublayer for a particular interface | sflow.dot3StatsSQETestErrors |
| dot3_stats_deferred_transmissions | Count of frames for which the first transmission attempt on a particular interface is delayed because the medium is busy | sflow.dot3StatsDeferredTransmissions |
| dot3_stats_late_collisions | Number of times that a collision is detected on a particular interface later than 512 bit-times into the transmission of a packet | sflow.dot3StatsLateCollisions |
| dot3_stats_excessive_collisions | Count of frames for which transmission on a particular interface fails due to excessive collisions | sflow.dot3StatsExcessiveCollisions |
| dot3_stats_internal_mac_tranmit_errors | Count of frames for which transmission on a particular interface fails due to an internal MAC sublayer transmit error | sflow.dot3StatsInternalMacTransmitErrors |
| dot3_stats_carrier_sense_errors | Number of times that the carrier sense condition was lost or never asserted when attempting to transmit a frame | sflow.dot3StatsCarrierSenseErrors |
| dot3_stats_frame_too_longs | Count of frames received on a particular interface that exceed the maximum permitted frame size | sflow.dot3StatsFrameTooLongs |
| dot3_stats_internal_mac_receive_errors | Count of frames for which reception on a particular interface fails due to an internal MAC sublayer receive error | sflow.dot3StatsInternalMacReceiveErrors |
| dot3_stats_symbol_errors | Number of times there was an invalid data symbol when a valid carrier was present on a particular interface | sflow.dot3StatsSymbolErrors |
| dot5_stats_line_errors | Count of tokens or frames with E bit set to zero and there is J or K bit between the SD and the ED or there is an FCS error | sflow.dot5StatsLineErrors |
| dot5_stats_burst_errors | Count of absence of transitions for five half-bit timers | sflow.dot5StatsBurstErrors |
| dot5_stats_ac_errors | Count of errors resulted by station that cannot set the AC bits properly | sflow.dot5StatsACErrors |
| dot5_stats_abort_trans_errors | Count of errors resulting from an abort delimiter while transmitting | sflow.dot5StatsAbortTransErrors |
| dot5_stats_internal_errors | Count of internal errors | sflow.dot5StatsInternalErrors |
| dot5_stats_lost_frame_errors | Count of errors resulting from TRR timer expiry | sflow.dot5StatsLostFrameErrors |
| dot5_stats_recv_congestion | Count of errors resulting from no available buffer space or congestion | sflow.dot5StatsReceiveCongestions |
| dot5_stats_frame_copy_errs | Count of errors resulting from FS field A bits set to 1 | sflow.dot5StatsFrameCopiedErrors |
| dot5_stats_token_errs | Count of errors resulting from a condition that needs a token transmitted | sflow.dot5StatsTokenErrors |
| dot5_stats_soft_errs | Count of Soft Errors the interface has detected | sflow.dot5StatsSoftErrors |
| dot5_stats_hard_errs | Number of times this interface has detected an immediately recoverable fatal error | sflow.dot5StatsHardErrors |
| dot5_stats_signal_loss | Number of times this interface has detected the loss of signal condition from the ring | sflow.dot5StatsSignalLoss |
| dot5_stats_transmit_beacons | Number of times this interface has transmitted a beacon frame | sflow.dot5StatsTransmitBeacons |
| dot5_stats_recoverys | Number of Claim Token MAC frames received or transmitted after the interface has received a Ring Purge MAC frame | sflow.dot5StatsRecoverys |
| dot5_stats_lobe_wires | Number of times times the interface has detected an open or short circuit in the lobe data path | sflow.dot5StatsLobeWires |
| dot5_stats_removes | Number of times the interface has received a Remove Ring Station MAC frame request | sflow.dot5StatsRemoves |
| dot5_stats_singles | Number of times the interface has sensed that it is the only station on the ring | sflow.dot5StatsSingles |
| dot5_stats_freq_errs | Number of times the interface has detected that the frequency of the incoming signal differs from the expected frequency by more than that specified by the IEEE 802.5 standard | sflow.dot5StatsFreqErrors |
| dot12_in_high_priority_frames | Count of high priority frames that have been received on this interface | sflow.dot12InHighPriorityFrames |
| dot12_in_high_priority_octets | Count of number of octets contained in high priority frames that have been received on this interface | sflow.dot12InHighPriorityOctets |
| dot12_in_norm_priority_frames | Count of normal priority frames that have been received on this interface | sflow.dot12InNormPriorityFrames |
| dot12_in_norm_priority_octets | Count of number of octets contained in normal priority frames that have been received on this interface | sflow.dot12InNormPriorityOctets |
| dot12_in_ipm_errs | Count of number of frames that have been received on this interface with an invalid packet marker and no PMI errors | sflow.dot12InIPMErrors |
| dot12_in_oversize_frames_errs | Count of oversize frames received on this interface | sflow.dot12InOversizeFrameErrors |
| dot12_in_data_errs | Count of oversize frames received on this interface | sflow.dot12InDataErrors |
| dot12_in_null_address_frames | Count of null addressed frames received on this interface | sflow.dot12InNullAddressedFrames |
| dot12_out_high_priority_frames | Count of high priority frames successfully transmitted out | sflow.dot12OutHighPriorityFrames |
| dot12_out_high_priority_octets | Count of octets of high priority frames successfully transmitted out | sflow.dot12OutHighPriorityOctetss |
| dot12_transition_trainings | Count of the number of times this interface has entered the training state | sflow.dot12TransitionIntoTrainings |
| dot12_hc_in_high_priority_octets | Count of the number of octets contained in high priority frames that have been received on this interface | sflow.dot12HCInHighPriorityOctets |
| dot12_hc_in_norm_priority_octets | Count of the number of octets contained in normal priority frames that have been received on this interface | sflow.dot12HCInNormPriorityOctets |
| dot12_hc_out_high_priority_octets | Count of the number of octets contained in high priority frames that have been send out of this interface | sflow.dot12HCOutHighPriorityOctets |
| vlan_id | Vlan Id | flow.vlan-id |
| vlan_octets | Count of octets | sflow.vlanOctets |
| vlan_ucast_pkts | Count of uni-cast packets | sflow.vlan-ucast-packets |
| vlan_multi_cast_pkts | Count of multi-cast packets | sflow.vlan-multicast-packets |
| vlan_broad_cast_pkts | Count of broadcast packets | sflow.vlan-broadcast-packets |
| vlan_discards | Count of discards | sflow.vlanDiscards |
| cpu_util_5s | 5 second average CPU utilization | sflow.cpu_percent_5s |
| cpu_util_1m | 1 minute average CPU utilization | sflow.cpu_percent_1m |
| cpu_util_5m | 5 minute average CPU utilization | sflow.cpu_percent_5m |
| total_mem | Total memory(in bytes) | sflow.total-mem |
| free_mem | Free memory(in bytes) | sflow.free-mem |
| dest_vlan | VLAN identifier of outgoing frame | netflow.dest-vlan |
| dest_vlan_priority | 802.ip priority of outgoing frame | netflow.dest-vlan_priority |
| src_vlan | VLAN identifier of incoming frame | netflow.src-vlan |
| src_vlan_priority | 802.ip priority of incoming frame | netflow.src-vlan_priority |
| sflow_elements | Key Value pairs | sflow.elements |
| event_name | Name of event | flow.event-name |
Last modified on 15 February, 2017
| File Service |
This documentation applies to the following versions of Splunk Stream™: 7.0.0, 7.0.1
Download manual
Feedback submitted, thanks!