Splunk Stream

Installation and Configuration Manual

Download manual as PDF

This documentation does not apply to the most recent version of StreamApp. Click here for the latest version.
Download topic as PDF

Infrastructure

Splunk App for Stream supports capture of these Infrastructure protocols on Linux, Mac, and Windows. For more information see Configure Streams in the Splunk App for Stream User Manual.

DHCP

Dynamic Host Configuration Protocol RFC 2132

Name Description Term
src_ip Client IP Address flow.c-ip
dest_ip Server IP Address flow.s-ip
src_port Client port number flow.c-port
dest_port Server port number flow.s-port
src_mac Client packets MAC address in hexadecimal format flow.c-mac
dest_mac Server packets MAC address in hexadecimal format flow.s-mac
packets_in The total number of packets sent from client to server flow.cs-packets
packets_out The total number of packets sent from server to client flow.sc-packets
bytes_in The number of bytes sent from client to server flow.cs-bytes
bytes_out The number of bytes sent from server to client flow.sc-bytes
bytes The total number of bytes transferred flow.bytes
time_taken Number of microseconds that it took to complete a flow event, from the end user's perspective flow.time-taken
protocol Level 7 protocol name (http, ftp, etc.) flow.protocol
transport Transport level protocol flow.transport
opcode Type of DHCP message dhcp.message-type
file Name of boot file used during initialization dhcp.filename
chaddr Client Hardware address dhcp.client-mac
ciaddr Client IP address dhcp.current-client-ip
dns_server DNS server ip dhcp.dns-ip
giaddr Relay agent IP address dhcp.relay-ip
ip_lease_time Specifies lease time DHCP server is willing to offer dhcp.lease-time
siaddr IP address of the next server (used when booting via a server) dhcp.server-ip
sname Host name of next server dhcp.server-name
yiaddr New ip address attributed to the client dhcp.new-client-ip
subnetmask Subnet mask assigned to the client dhcp.new-client-subnet
router IP addr of the gateway dhcp.gateway-ip

DNS

Domain Name System RFC 1034

Name Description Term
src_ip Client IP Address flow.c-ip
dest_ip Server IP Address flow.s-ip
src_port Client port number flow.c-port
dest_port Server port number flow.s-port
src_mac Client packets MAC address in hexadecimal format flow.c-mac
dest_mac Server packets MAC address in hexadecimal format flow.s-mac
packets_in The total number of packets sent from client to server flow.cs-packets
packets_out The total number of packets sent from server to client flow.sc-packets
bytes_in The number of bytes sent from client to server flow.cs-bytes
bytes_out The number of bytes sent from server to client flow.sc-bytes
bytes The total number of bytes transferred flow.bytes
time_taken Number of microseconds that it took to complete a flow event, from the end user's perspective flow.time-taken
protocol Level 7 protocol name (http, ftp, etc.) flow.protocol
transport Transport layer protocol (udp or tcp) flow.transport
ancount The number of resource records in the answer section dns.ancount
arcount Number of additional answers dns.arcount
hostname Host name dns.host
host_addr Host IP address dns.host-addr
host_type DNS host type dns.host-type
message_type DNS Message Type dns.message-type
name Name of the request dns.name
nscount Number of answers in the 'authority' section dns.nscount
qdcount Number of queries dns.qdcount
query DNS Query sent dns.query
query_type DNS Query type dns.query-type
reply_code Return message dns.reply-code
response_time Elapsed time between sending of the dns request and reception of its response, in microseconds dns.response-time
reverse_addr IP address returned to the PTR request dns.reverse-addr
transaction_id DNS transaction identifier dns.transaction-id
ttl Time (in seconds) a DNS information returned by the server will be kept in cache dns.ttl

ICMP

Internet Control Message Protocol RFC 792

Name Description Term
bytes The total number of bytes transferred flow.bytes
src_ip IP address of the client in dot-quad notation flow.c-ip
src_mac Client packets MAC address in hexadecimal format flow.c-mac
bytes_in The number of bytes sent from client to server flow.cs-bytes
network_interface Name of network interface flow.interface-name
capture_hostname Hostname where flow was captured flow.hostname
dest_ip IP address of the server in dot-quad notation flow.s-ip
dest_mac Server packets MAC address in hexadecimal format flow.s-mac
bytes_out The number of bytes sent from server to client flow.sc-bytes
time_taken Number of microseconds that it took to complete a flow event, from the end user's perspective flow.time-taken
id ICMP message Id icmp.id
code ICMP message code icmp.code
code_string ICMP message code string icmp.code-string
type ICMP message type icmp.type
type_string ICMP message type string icmp.type-string
checksum ICMP message checksum icmp.checksum
sequence ICMP message sequence icmp.sequence
data ICMP message data icmp.data

IGMP

Internet Group Management Protocol RFC2236

Name Descripotion Term
bytes The total number of bytes transferred flow.bytes
src_ip IP address of the client in dot-quad notation flow.c-ip
src_mac Client packets MAC address in hexadecimal format flow.c-mac
bytes_in The number of bytes sent from client to server flow.cs-bytes
network_interface Name of network interface flow.interface-name
capture_hostname Hostname where flow was captured flow.hostname
vlan_id VLAN ID from 802.1Q header flow.vlan-id
dest_ip IP address of the server in dot-quad notation flow.s-ip
dest_mac Server packets MAC address in hexadecimal format flow.s-mac
flow_id Flow Id flow.flow-id
type IGMP message type igmp.type
type_string IGMP message type string igmp.type-string
checksum IGMP checksum igmp.checksum
max_resp_time Maximum allowed time before sending a response report in units of 1/10 second igmp.max-resp-time
multicast_address IP multicast address igmp.multicast-address
misc Resv, S and QRV fields igmp.misc
qqic Querier's query interval code igmp.qqic
num_sources Number of source addresses present in the query igmp.num-sources
source_address Source IP unicast address igmp.source-address
num_groups Number of group records igmp.num-groups
group_record_type Group record type igmp.group-record-type
group_record_type_string Group record type string igmp.group-record-type-string
group_record_aux_data_len Length of auxiliary data field in the group record igmp.group-record-aux-data-len
group_record_num_sources Number of source addresses present in the group record igmp.group-record-num-sources
group_record_multicast_address IP multicast address in the group record igmp.group-record-multicast-address
group_record_source_address Source IP unicast address in the group record igmp.group-record-source-address
group_record_aux_data Aux data in group record igmp.group-record-aux-data
protocol_stack Protocol stack of flow flow.protocol-stack

SNMP

Simple Network Management Protocol RFC 3413

Name Description Term
bytes The total number of bytes transferred flow.bytes
c_ip IP address of the client in dot-quad notation flow.c-ip
src_mac Client packets MAC address in hexadecimal format flow.c-mac
src_port Client port number flow.c-port
bytes_in The number of bytes sent from client to server flow.cs-bytes
data_packets_in The number of data packets sent from client to server flow.cs-data-packets
packets_in The total number of packets sent from client to server flow.cs-packets
dest_ip IP address of the server in dot-quad notation flow.s-ip
dest_mac Server packets MAC address in hexadecimal format flow.s-mac
dest_port Server port number flow.s-port
bytes_out The number of bytes sent from server to client flow.sc-bytes
data_packets_out The number of data packets sent from server to client flow.sc-data-packets
packets_out The total number of packets sent from server to client flow.sc-packets
time_taken Number of microseconds that it took to complete a flow event, from the end user's perspective flow.time-taken
transport Transport layer protocol (udp or tcp) flow.transport
community Community name snmp.community
method SNMP request type snmp.method
name Name of the user snmp.name
request_id Request Identifier snmp.request-id
varbind_list JSON array of {"oid":varbind_oid, "value":varbind_value, "type": varbind_value_type} snmp.varbind_list
version SNMP Version snmp.version
PREVIOUS
File Transfer
  NEXT
Messaging

This documentation applies to the following versions of Splunk Stream: 7.0.0, 7.0.1


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters