Splunk Stream

Installation and Configuration Manual

This documentation does not apply to the most recent version of Splunk Stream. For documentation on the most recent version, go to the latest release.

Flow Protocols

NetFlow

Name Description Term
event_name Name of event flow.event-name
netflow_version Netflow Version netflow.version
seqnumber Netflow sequence number netflow.flow-sequence
num_flows Netflow number of flows netflow.num-flows
exporter_ip IP address of device that generated flow netflow.exporterIPAddress
src_ip Source address of flow flow.c-ip
dest_ip Destination address of flow flow.s-ip
src_port Source port number of flow flow.c-port
dest_port Destination port number of flow flow.s-port
dest_mac Server packets MAC address in hexadecimal format flow.s-mac
src_mac Client packets MAC address in hexadecimal format flow.c-mac
protoid IP protocol type ip.protoid
tos Type of Service ip.tos
bytes Total number of Layer 3 bytes in the flow netflow.bytes
packets Total number of packets in the flow flow.packets
time_taken Duration of flow flow.time-taken
tcp_flags Cumulative OR of TCP flags for this flow netflow.tcp-flags
src_sysnum System number of source for this flow netflow.c-sysnum
dest_sysnum System number of destination for this flow netflow.s-sysnum
name desc netflow.input-snmpidx
event_name Name of event netflow.output-snmpidx
netflow_version Netflow Version netflow.bgp-nexthop-address
name desc netflow.multicast-out-packets
event_name Name of event netflow.multicast-out-bytes
netflow_version Netflow Version netflow.sc-bytes
seqnumber Netflow sequence number netflow.sc-packets
num_flows Netflow number of flows netflow.cs-packets
exporter_ip IP address of device that generated flow netflow.cs-bytes
src_ip Source address of flow netflow.src-mask
dest_ip Destination address of flow netflow.dest-mask
src_port Source port number of flow flow.ipv6-flow-label
dest_port Destination port number of flow netflow.mpls-top-label-type
dest_mac Server packets MAC address in hexadecimal format netflow.mplsTopLabelIPAddress
src_mac Client packets MAC address in hexadecimal format netflow.selectorId
protoid IP protocol type netflow.selectorAlgorithm
tos Type of Service netflow.samplingPacketInterval
bytes Total number of Layer 3 bytes in the flow netflow-min-ttl
packets Total number of packets in the flow netflow-max-ttl
time_taken Duration of flow ip.id
tcp_flags Cumulative OR of TCP flags for this flow netflow.post-dest-mac
src_sysnum System number of source for this flow netflow.src-vlan
dest_sysnum System number of destination for this flow netflow.dest-vlan
name desc ip.version
event_name Name of event flow.direction
netflow_version Netflow Version netflow.nexthop-address
name desc netflow.post-src-mac
event_name Name of event netflow.if-name
netflow_version Netflow Version netflow.perm-bytes
seqnumber Netflow sequence number netflow.perm-packets
num_flows Netflow number of flows netflow.forward-status
exporter_ip IP address of device that generated flow netflow.app-tag
app Specifies the name of an application netflow.app-name
drop_octet_count Number of octets since the previous report (if any) of this Flow dropped by packet treatment netflow.droppedOctetDeltaCount
drop_packet_count Number of packets since the previous report (if any) of this Flow dropped by packet treatment netflow.droppedPacketDeltaCount
drop_octet_total_count Number of octets of this Flow dropped by packet treatment netflow.droppedOctetTotalCount
drop_pkt_total_count Number of packets of this Flow dropped by packet treatment netflow.droppedPacketTotalCount
flow_end_reason Reason for Flow termination flow.end-reason
observation_point_id Identifier of an Observation Point that is unique per Observation Domain netflow.observationPointId
linecard_id Identifier of a line card that is unique per IPFIX Device hosting an Observation Point netflow.lineCardId
port_id Identifier of line port that is unique per IPFIX Device hosting an Observation Point netflow.portId
metering_process_id Identifier of a Metering Process that is unique per IPFIX Device netflow.meteringProcessId
export_process_id Identifier of an Exporting Process that is unique per IPFIX Device netflow.exportingProcessId
template_id Identifier of a Template that is locally unique within a combination of a Transport session and an Observation Domain netflow.templateId
channel Identifier of the 802.11 (Wi-Fi) channel netflow.wlanChannelId
ssid Service Set Identifier of 802.11 (Wi-Fi) network netflow.wlanSSID
flow_id Identifier of a Flow that is unique within an Observation Domain netflow.flowId
observation_domain_id Identifier of Observation Domain that is locally unique to an Exporting Process netflow.observationDomainId
flow_start_time The absolute timestamp of the first packet of this Flow time.epoch-time
flow_end_time The absolute timestamp of the last packet of this Flow. time.epoch-time-end
flow_start_time_milli The absolute timestamp of the first packet of this Flow netflow.flowStartMilliseconds
flow_end_time_milli The absolute timestamp of the last packet of this Flow. netflow.flowEndMilliseconds
flow_start_time_micro The absolute timestamp of the first packet of this Flow netflow.flowStartMicroseconds
flow_end_time_micro The absolute timestamp of the last packet of this Flow. netflow.flowEndMicroseconds
flow_start_time_nano The absolute timestamp of the first packet of this Flow netflow.flowStartNanoseconds
flow_end_time_nano The absolute timestamp of the last packet of this Flow. netflow.flowEndNanoseconds
sys_init_time_milli The absolute timestamp of the last (re-)initialization of the IPFIX Device. netflow.systemInitTimeMilliseconds
flow_duration_milli The difference in time between the first observed packet of this Flow and the last observed packet of this Flow netflow.flowDurationMilliseconds
flow_duration_micro The difference in time between the first observed packet of this Flow and the last observed packet of this Flow. netflow.flowDurationMicroseconds
obsv_flow_count Total number of Flows observed in the Observation Domain since the Metering Process (re-)initialization netflow.observedFlowTotalCount
ignored_pkt_count Total number of observed IP packets that the Metering Process did not process since the Metering Process (re-)initialization netflow.ignoredPacketTotalCount
ignored_octet_count Total number of octets that the Metering Process did not process since the Metering Process (re-)initialization netflow.ignoredOctetTotalCount
not_sent_flow_count Total number of Flow Records dropped by the Metering Process or by the Exporting Process instead of being sent to the Collecting Process netflow.notSentFlowTotalCount
not_sent_pkt_count Total number of packets dropped by the Metering Process or by the Exporting Process instead of being sent to the Collecting Process netflow.notSentPacketTotalCount
not_sent_octet_count Total number of octets dropped by the Metering Process or by the Exporting Process instead of being sent to the Collecting Process netflow.notSentOctetTotalCount
src_ip_prefix Source address prefix netflow.sourceIPPrefix
dest_ip_prefix Destination address prefix netflow.destinationIPPrefix
post_octet_count Modified total octet count caused by a middlebox function after the packet passed the Observation Point. netflow.postOctetTotalCount
post_pkt_count Modified total packet count caused by a middlebox function after the packet passed the Observation Point. netflow.postPacketTotalCount
tcp_seq_num The sequence number in the TCP header netflow.tcpSequenceNumber
tcp_ack_num The acknowledgement number in the TCP header netflow.tcpAcknowledgementNumber
tcp_win_size The window field in the TCP header netflow.tcpWindowSize
ip_frag_flags Fragmentation properties indicated by flags ip.fragment-flags
tcp_total_syn_count Number of packets of this Flow with TCP SYN flag set netflow.tcpSynTotalCount
tcp_total_fin_count Number of packets of this Flow with TCP FIN flag set netflow.tcpFinTotalCount
tcp_total_rst_count Number of packets of this Flow with TCP RST flag set netflow.tcpRstTotalCount
tcp_total_psh_count Number of packets of this Flow with TCP PSH flag set netflow.tcpPshTotalCount
tcp_total_ack_count Number of packets of this Flow with TCP ACK flag set netflow.tcpAckTotalCount
tcp_total_urg_count Number of packets of this Flow with TCP URG flag set netflow.tcpUrgTotalCount
nat_event Indicates a NAT event netflow.natEvent
multicast_flags Flags to indicate multicast netflow.isMulticast
firewall_event Indicates a firewall event netflow.firewallEvent
tcp_window_scale The scale of the window field in the TCP header netflow.tcpWindowScale
ingress_interface Networking device's physical interface (example, a switch port) where packets of this flow are being received netflow.ingressPhysicalInterface
egress_interface Networking device's physical interface (example, a switch port) where packets of this flow are being sent netflow.egressPhysicalInterface
msg_md5_chksum MD5 checksum of the IPFIX Message containing this record netflow.messageMD5Checksum
txn_id Identifies a transaction within a connection netflow.connectionTransactionId
is_p2p Specifies if Application ID is based on peer-to-peer technology netflow.p2pTechnology
is_tunnel Specifies if Application ID is used as a tunnel technology netflow.tunnelTechnology
is_encrypted Specifies if Application ID is an encrypted networking protocol netflow.encryptedTechnology
ipsec_spi IPSec Security Parameters Index (SPI) netflow.IPSecSPI
gre_key GRE key, identifying an individual traffic flow within a tunnel netflow.greKey
nat_type Type of NAT treatment netflow.natType
selector_name Name of a selector identified by a selectorID netflow.selectorName
virtual_station_itf_id Instance Identifier of the interface to a Virtual Station netflow.virtualStationInterfaceId
virtual_station_itf_name Name of the interface to a Virtual Station netflow.virtualStationInterfaceName
virtual_station_uuid Unique Identifier of a Virtual Station netflow.virtualStationUUID
virtual_station_name Name of a Virtual Station netflow.virtualStationName
layer2_segment_id Identifier of a layer 2 network segment in an overlay network netflow.layer2SegmentId
ingress_unicast_pkt_count Total number of incoming unicast packets netflow.ingressUnicastPacketTotalCount
ingress_multicast_pkt_count Total number of incoming multicast packets netflow.ingressMulticastPacketTotalCount
ingress_broadcast_pkt_count Total number of incoming broadcast packets netflow.ingressBroadcastPacketTotalCount
egress_unicast_pkt_count Total number of outgoing unicast packets netflow.egressUnicastPacketTotalCount
egress_broadcast_pkt_count Total number of outgoing unicast packets netflow.egressBroadcastPacketTotalCount
sta_mac_addr IEEE 802 MAC address of a wireless station (STA). netflow.staMacAddress
sta_ip_addr IP address of a wireless station netflow.staIPAddress
wtp_mac_addr IEEE 802 MAC address of a wireless access point netflow.wtpMacAddress
ingress_itf_type Type of interface where packets of this Flow are being received netflow.ingressInterfaceType
egress_itf_type Type of interface where packets of this Flow are being sent netflow.egressInterfaceType
user_name User name associated with the flow netflow.userName
netflow_elements Key Value pairs netflow.elements

sFlow

Name Description Term
sflow_version sFlow Version sflow.version
seqnumber sFlow sequence number sflow.flow-sequence
exporter_ip IP address of device that generated flow netflow.exporterIPAddress
src_ip Source address of flow flow.c-ip
dest_ip Destination address of flow flow.s-ip
src_port Source port number of flow flow.c-port
dest_port Destination port number of flow flow.s-port
dest_mac Server packets MAC address in hexadecimal format flow.s-mac
src_mac Client packets MAC address in hexadecimal format flow.c-mac
protoid IP protocol type ip.protoid
ip_len Length of the IP packet ip.packet-len
tcp_flags Cumulative OR of TCP flags for this flow netflow.tcp-flags
tos Type of Service ip.tos
packets Total number of packets in the flow flow.packets
time_taken Duration of flow flow.time-taken
src_sysnum System number of source for this flow netflow.c-sysnum
dest_sysnum System number of destination for this flow netflow.s-sysnum
input_snmpidx SNMP index of input interface for this flow netflow.input-snmpidx
output_snmpidx SNMP index of output interface for this flow netflow.output-snmpidx
sflow_sampling_rate sFlow sampling rate sflow.sampling-rate
sflow_sample_pool Number of packets sampled sflow.sample-pool
sflow_dropped_pkts Dropped packets sflow.dropped-pkts
sflow_input_itf_index Interface packet was received on sflow.input-interface-index
sflow_output_itf_index Interface packet was sent on sflow.output-interface-index
sflow_header_protocol sFlow raw packet header protocol sflow.header-protocol
orig_frame_len sFlow Original length of packet before sampling sflow.frame-length
stripped_octets Number of octets removed sflow.stripped-octets
ethernet_pkt_type Ethernet packet type sflow.ethernet-packet-type
interface_name Name of network interface flow.interface-name
interface_index Network interface index flow.interface-index
interface_type Network interface type flow.interface-type
interface_speed Network interface speed flow.interface-speed
interface_direction Interface Direction flow.interface-direction
interface_status Interface status flow.interface-status
interface_input_octets Interface input octets flow.interface-input-octets
interface_input_pkts Interface input packets flow.interface-input-pkts
interface_input_multi_pkts Interface multicast packets flow.interface-input-multi-pkts
interface_input_broad_pkts Interface broadcast packets flow.interface-input-broad-pkts
interface_input_discard_pkts Interface discarded packets flow.interface-input-discard-pkts
interface_input_errors Interface input errors flow.interface-input-errors
interface_input_unk_proto_pkts Interface input unknown protocol packets flow.interface-input-unk-protos
interface_output_octets Interface output octets flow.interface-output-octets
interface_output_pkts Interface output packets flow.interface-output-pkts
interface_output_multi_pkts Interface multicast packets flow.interface-output-multi-pkts
interface_output_broad_pkts Interface broadcast packets flow.interface-output-broad-pkts
interface_output_discard_pkts Interface discarded packets flow.interface-output-discard-pkts
interface_output_errors Interface output errors flow.interface-output-errors
interface_promiscuous_mode Interface promiscuous mode flow.interface-promiscuous
dot3_stats_alignment_errs Frames received that are not an integral number of octets in length and do not pass the FCS check sflow.dot3StatsAlignmentErrors
dot3_stats_fcs_errs Frames received that are an integral number of octets in length but do not pass the FCS check sflow.dot3StatsFCSErrors
dot3_stats_single_collision_frames Count of transmitted frames on a particular interface for which transmission is inhibited by exactly one collision sflow.dot3StatsSingleCollisionFrames
dot3_stats_multi_collision_frames Count of transmitted frames on a particular interface for which transmission is inhibited by more than one collision sflow.dot3StatsMultipleCollisionFrames
dot3_stats_sqe_test_errors Count of times that the SQE TEST ERROR message is generated by the PLS sublayer for a particular interface sflow.dot3StatsSQETestErrors
dot3_stats_deferred_transmissions Count of frames for which the first transmission attempt on a particular interface is delayed because the medium is busy sflow.dot3StatsDeferredTransmissions
dot3_stats_late_collisions Number of times that a collision is detected on a particular interface later than 512 bit-times into the transmission of a packet sflow.dot3StatsLateCollisions
dot3_stats_excessive_collisions Count of frames for which transmission on a particular interface fails due to excessive collisions sflow.dot3StatsExcessiveCollisions
dot3_stats_internal_mac_tranmit_errors Count of frames for which transmission on a particular interface fails due to an internal MAC sublayer transmit error sflow.dot3StatsInternalMacTransmitErrors
dot3_stats_carrier_sense_errors Number of times that the carrier sense condition was lost or never asserted when attempting to transmit a frame sflow.dot3StatsCarrierSenseErrors
dot3_stats_frame_too_longs Count of frames received on a particular interface that exceed the maximum permitted frame size sflow.dot3StatsFrameTooLongs
dot3_stats_internal_mac_receive_errors Count of frames for which reception on a particular interface fails due to an internal MAC sublayer receive error sflow.dot3StatsInternalMacReceiveErrors
dot3_stats_symbol_errors Number of times there was an invalid data symbol when a valid carrier was present on a particular interface sflow.dot3StatsSymbolErrors
dot5_stats_line_errors Count of tokens or frames with E bit set to zero and there is J or K bit between the SD and the ED or there is an FCS error sflow.dot5StatsLineErrors
dot5_stats_burst_errors Count of absence of transitions for five half-bit timers sflow.dot5StatsBurstErrors
dot5_stats_ac_errors Count of errors resulted by station that cannot set the AC bits properly sflow.dot5StatsACErrors
dot5_stats_abort_trans_errors Count of errors resulting from an abort delimiter while transmitting sflow.dot5StatsAbortTransErrors
dot5_stats_internal_errors Count of internal errors sflow.dot5StatsInternalErrors
dot5_stats_lost_frame_errors Count of errors resulting from TRR timer expiry sflow.dot5StatsLostFrameErrors
dot5_stats_recv_congestion Count of errors resulting from no available buffer space or congestion sflow.dot5StatsReceiveCongestions
dot5_stats_frame_copy_errs Count of errors resulting from FS field A bits set to 1 sflow.dot5StatsFrameCopiedErrors
dot5_stats_token_errs Count of errors resulting from a condition that needs a token transmitted sflow.dot5StatsTokenErrors
dot5_stats_soft_errs Count of Soft Errors the interface has detected sflow.dot5StatsSoftErrors
dot5_stats_hard_errs Number of times this interface has detected an immediately recoverable fatal error sflow.dot5StatsHardErrors
dot5_stats_signal_loss Number of times this interface has detected the loss of signal condition from the ring sflow.dot5StatsSignalLoss
dot5_stats_transmit_beacons Number of times this interface has transmitted a beacon frame sflow.dot5StatsTransmitBeacons
dot5_stats_recoverys Number of Claim Token MAC frames received or transmitted after the interface has received a Ring Purge MAC frame sflow.dot5StatsRecoverys
dot5_stats_lobe_wires Number of times times the interface has detected an open or short circuit in the lobe data path sflow.dot5StatsLobeWires
dot5_stats_removes Number of times the interface has received a Remove Ring Station MAC frame request sflow.dot5StatsRemoves
dot5_stats_singles Number of times the interface has sensed that it is the only station on the ring sflow.dot5StatsSingles
dot5_stats_freq_errs Number of times the interface has detected that the frequency of the incoming signal differs from the expected frequency by more than that specified by the IEEE 802.5 standard sflow.dot5StatsFreqErrors
dot12_in_high_priority_frames Count of high priority frames that have been received on this interface sflow.dot12InHighPriorityFrames
dot12_in_high_priority_octets Count of number of octets contained in high priority frames that have been received on this interface sflow.dot12InHighPriorityOctets
dot12_in_norm_priority_frames Count of normal priority frames that have been received on this interface sflow.dot12InNormPriorityFrames
dot12_in_norm_priority_octets Count of number of octets contained in normal priority frames that have been received on this interface sflow.dot12InNormPriorityOctets
dot12_in_ipm_errs Count of number of frames that have been received on this interface with an invalid packet marker and no PMI errors sflow.dot12InIPMErrors
dot12_in_oversize_frames_errs Count of oversize frames received on this interface sflow.dot12InOversizeFrameErrors
dot12_in_data_errs Count of oversize frames received on this interface sflow.dot12InDataErrors
dot12_in_null_address_frames Count of null addressed frames received on this interface sflow.dot12InNullAddressedFrames
dot12_out_high_priority_frames Count of high priority frames successfully transmitted out sflow.dot12OutHighPriorityFrames
dot12_out_high_priority_octets Count of octets of high priority frames successfully transmitted out sflow.dot12OutHighPriorityOctetss
dot12_transition_trainings Count of the number of times this interface has entered the training state sflow.dot12TransitionIntoTrainings
dot12_hc_in_high_priority_octets Count of the number of octets contained in high priority frames that have been received on this interface sflow.dot12HCInHighPriorityOctets
dot12_hc_in_norm_priority_octets Count of the number of octets contained in normal priority frames that have been received on this interface sflow.dot12HCInNormPriorityOctets
dot12_hc_out_high_priority_octets Count of the number of octets contained in high priority frames that have been send out of this interface sflow.dot12HCOutHighPriorityOctets
vlan_id Vlan Id flow.vlan-id
vlan_octets Count of octets sflow.vlanOctets
vlan_ucast_pkts Count of uni-cast packets sflow.vlan-ucast-packets
vlan_multi_cast_pkts Count of multi-cast packets sflow.vlan-multicast-packets
vlan_broad_cast_pkts Count of broadcast packets sflow.vlan-broadcast-packets
vlan_discards Count of discards sflow.vlanDiscards
cpu_util_5s 5 second average CPU utilization sflow.cpu_percent_5s
cpu_util_1m 1 minute average CPU utilization sflow.cpu_percent_1m
cpu_util_5m 5 minute average CPU utilization sflow.cpu_percent_5m
total_mem Total memory(in bytes) sflow.total-mem
free_mem Free memory(in bytes) sflow.free-mem
dest_vlan VLAN identifier of outgoing frame netflow.dest-vlan
dest_vlan_priority 802.ip priority of outgoing frame netflow.dest-vlan_priority
src_vlan VLAN identifier of incoming frame netflow.src-vlan
src_vlan_priority 802.ip priority of incoming frame netflow.src-vlan_priority
sflow_elements Key Value pairs sflow.elements
event_name Name of event flow.event-name
Last modified on 15 February, 2017
Email   File Service

This documentation applies to the following versions of Splunk Stream: 7.0.0, 7.0.1


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters