This documentation does not apply to the most recent version of Splunk Stream™.
For documentation on the most recent version, go to the latest release.
Authentication
Splunk App for Stream supports capture of these Authentication protocols on Linux, Mac, and Windows. For more information see Configure Streams in the Splunk App for Stream User Manual.
DIAMETER
DIAMETER Protocol
| Name | Description | Term |
|---|---|---|
| bytes | The total number of bytes transferred | flow.bytes |
| src_ip | Client IP Address | flow.c-ip |
| src_mac | Client packets MAC address in hexadecimal format | flow.c-mac |
| src_port | Client port number | flow.c-port |
| bytes_in | The number of bytes sent from client to server | flow.cs-bytes |
| packets_in | The total number of packets sent from client to server | flow.cs-packets |
| dest_ip | Server IP Address | flow.s-ip |
| dest_mac | Server packets MAC address in hexadecimal format | flow.s-mac |
| dest_port | Server port number | flow.s-port |
| bytes_out | The number of bytes sent from server to client | flow.sc-bytes |
| packets_out | The total number of packets sent from server to client | flow.sc-packets |
| time_taken | Number of microseconds that it took to complete a flow event, from the end user's perspective | flow.time-taken |
| transport | Transport level protocol | flow.transport |
| acct_input_octets | Indicates how many octets have been received from the port over the course of this service being provided | diameter.acct-input-octets |
| acct_multi_session_id | Link between multiple accounting sessions | diameter.acct-multi-session-id |
| acct_output_octets | Indicates how many octets have been sent to the port in the course of delivering this service | diameter.acct-output-octets |
| acct_record_number | Unique identifier for one record within a session | diameter.acct-record-number |
| acct_record_type | Record type | diameter.acct-record-type |
| acct_session_id | Accounting session ID | diameter.acct-session-id |
| acct_sub_session_id | Sub-session identifier | diameter.acct-sub-session-id |
| application_id | Identify which application the message is applicable for | diameter.application-id |
| auth_request_type | Requested authentication type | diameter.auth-request-type |
| called_station_id | The phone number that the user called, using Dialed Number Identification (DNIS) or similar technology | diameter.called-station-id |
| calling_station_id | Client id | diameter.calling-station-id |
| command_code | Command associated with the Diameter request | diameter.command-code |
| command_flags | Bitfield which defines some attributes of a command on one byte as follows: [RPE.....] ('R'equest/answer, 'P'roxiable, 'E'rror) | diameter.command-flags |
| destination_host | Destination Diameter host for the current message | diameter.destination-host |
| end_to_end_id | Used to detect duplicate messages | diameter.end-to-end-id |
| framed_ip | IP address | diameter.framed-ip |
| hop_by_hop_id | Used to match Diameter request and reply messages | diameter.hop-by-hop-id |
| login | User's login string | diameter.login |
| nas_id | Unique identifier of NAS originating access request | diameter.nas-id |
| nas_ip | IP address of of NAS originating access request | diameter.nas-ip |
| nas_port | Physical port number of the user on the NAS | diameter.nas-port |
| nas_port_id | Identifies the NAS | diameter.nas-port-id |
| nas_port_type | Indicates the type of physical port NAS is using to authenticate the user | diameter.nas-port-type |
| origin_host | Source Diameter host for the current message | diameter.origin-host |
| result_code | Indicates whether a particular Diameter request was completed successfully or not | diameter.result-code |
| session_id | Uniquely identifies the current user session | diameter.session-id |
| terminate_cause | This attribute indicates how the session was terminated | diameter.terminate-cause |
LDAP
Lightweight Directory Access Protocol RFC 1777
| Name | Description | Term |
|---|---|---|
| src_ip | Client IP Address | flow.c-ip |
| dest_ip | Server IP Address | flow.s-ip |
| src_port | Client port number | flow.c-port |
| dest_port | Server port number | flow.s-port |
| src_mac | Client packets MAC address in hexadecimal format | flow.c-mac |
| dest_mac | Server packets MAC address in hexadecimal format | flow.s-mac |
| packets_in | The total number of packets sent from client to server | flow.cs-packets |
| packets_out | The total number of packets sent from server to client | flow.sc-packets |
| ack_packets_in | The number of acknowledgement packets sent from client to server | flow.cs-ack-packets |
| ack_packets_out | The number of acknowledgement packets sent from server to client | flow.sc-ack-packets |
| missing_packets_in | The number of missing packet gaps detected within the request | flow.cs-missing-packets |
| missing_packets_out | The number of missing packet gaps detected within the response | flow.sc-missing-packets |
| duplicate_packets_in | The number of duplicate packets sent from client to server | flow.cs-duplicate-packets |
| duplicate_packets_out | The number of duplicate packets sent from server to client | flow.sc-duplicate-packets |
| data_packets_in | The number of data packets sent from client to server | flow.cs-data-packets |
| data_packets_out | The number of data packets sent from server to client | flow.sc-data-packets |
| bytes_in | The number of bytes sent from client to server | flow.cs-bytes |
| bytes_out | The number of bytes sent from server to client | flow.sc-bytes |
| bytes | The total number of bytes transferred | flow.bytes |
| time_taken | Number of microseconds that it took to complete a flow event, from the end user's perspective | flow.time-taken |
| request_time | Number of microseconds that it took the client to send a request | flow.cs-send-time |
| request_ack_time | Number of microseconds that it took the server to acknowledge receipt of the request | flow.cs-ack-time |
| reply_time | Number of microseconds that it took the server to start replying to a request | flow.sc-reply-time |
| response_time | Number of microseconds that it took the server to send a response | flow.sc-send-time |
| response_ack_time | Number of microseconds that it took the client to acknowledge receipt of the response | flow.sc-ack-time |
| ssl_time | Number of microseconds that it took to negotiate an SSL handshake | flow.ssl-time |
| ssl_version | SSL protocol version used for encryption, or undefined if not encrypted | flow.ssl-version |
| data_center_time | Number of microseconds from the last request packet to the last response packet | flow.data-center-time |
| client_rtt | Average round trip time in microseconds from the client to the point of capture | flow.cp-rtt |
| server_rtt | Average round trip time in microseconds from the server to the point of capture | flow.ps-rtt |
| client_rtt_sum | Sum of all round trip time measurements from the client to the point of capture | flow.cp-rtt-sum |
| server_rtt_sum | Sum of all round trip time measurements from the server to the point of capture | flow.ps-rtt-sum |
| client_rtt_packets | Number of round trip measurements from the client to the point of capture | flow.cp-rtt-packets |
| server_rtt_packets | Number of round trip measurements from the server to the point of capture | flow.ps-rtt-packets |
| refused | Number of requests that were refused by the server | flow.refused |
| canceled | Number of HTTP responses that were canceled early by the client | flow.canceled |
| connection | TCP session server endpoint (IP address and TCP port) | flow.connection |
| tcp_status | TCP handshake status (0=OK, 1=RESET, 2=IGNORED) | flow.tcp-status |
| protocol | Level 7 protocol name (http, ftp, etc.) | flow.protocol |
| transport | Transport layer protocol (udp or tcp) | flow.transport |
| assertion_value | Filter expression second operand, which is an assertion value | ldap.assertion-value |
| assertion_description | Filter expression first operand, which is an attribute description | ldap.attribute-description |
| contains_sasl | Indicates whether the authentication is done using SASL mechanism | ldap.contains-sasl |
| hostname | Hostname extracted from a logon response to a CLDAP searchRequest | ldap.hostname |
| message_id | Message identification | ldap.message-id |
| message_type | Message type | ldap.message-type |
| elements | LDAP element, map containing name-value pairs with nested elements | ldap.elements |
RADIUS
Remote Authentication Dial In User Service RFC 2865
| Name | Description | Term |
|---|---|---|
| src_ip | Client IP Address | flow.c-ip |
| dest_ip | Server IP Address | flow.s-ip |
| src_port | Client port number | flow.c-port |
| dest_port | Server port number | flow.s-port |
| src_mac | Client packets MAC address in hexadecimal format | flow.c-mac |
| dest_mac | Server packets MAC address in hexadecimal format | flow.s-mac |
| packets_in | The total number of packets sent from client to server | flow.cs-packets |
| packets_out | The total number of packets sent from server to client | flow.sc-packets |
| bytes_in | The number of bytes sent from client to server | flow.cs-bytes |
| bytes_out | The number of bytes sent from server to client | flow.sc-bytes |
| bytes | The total number of bytes transferred | flow.bytes |
| time_taken | Number of microseconds that it took to complete a flow event, from the end user's perspective | flow.time-taken |
| protocol | Level 7 protocol name (http, ftp, etc.) | flow.protocol |
| transport | Transport level protocol | flow.transport |
| id | Packet Identifier | radius.id |
| code | Radius message code | radius.code |
| status | Status | radius.status |
| login | User login string | radius.login |
| login_ipv6_host | Indicates the system with which to connect the user | radius.login-ipv6-host |
| session_timeout | Maximum duration of session in seconds | radius.session-timeout |
| idle_timeout | Maximum idle duration of session in seconds | radius.idle-timeout |
| nas_id | Unique identifier of NAS originating access request | radius.nas-id |
| nas_ip | IP address of of NAS originating access request | radius.nas-ip |
| nas_ipv6 | IPV6 address of of NAS originating access request | radius.nas-ipv6 |
| nas_port | Physical port number of the user on the NAS | radius.nas-port |
| nas_port_id | Identifies the NAS | radius.nas-port-id |
| nas_port_type | Indicates the type of physical port NAS is using to authenticate the user | radius.nas-port-type |
| start_time | Indicates the beginning of the user service | radius.start-time |
| stop_time | Indicates the end of the user service | radius.stop-time |
| terminate_cause | Indicates how the session was terminated | radius.terminate-cause |
| framed_ip | Indicates the IP address to be configured for the user | radius.framed-ip |
| framed_ipv6_route | Indicates the routing information to be configured for the user on the NAS | radius.framed-ipv6-route |
| framed_ipv6_pool | Indicates the name of an assigned pool that should be used to assign an IPv6 prefix for the user | radius.framed-ipv6-pool |
| callback_number | Indicates the dialing string to be used for callback | radius.callback-number |
| called_station_id | Indicates the phone number that the user called | radius.called-station-id |
| vendor_id | Indicates the SMI Network Management Private Enterprise Code of the Vendor | radius.vendor-id |
| acct_session_id | Indicates the accounting session id | radius.account-session-id |
| sgsn_address | Indicates the IP address of the SGSN | radius.sgsn-ip |
| sgsn_mcc_mnc | Indicates the SGSN MCC and MNC | radius.sgsn-mcc |
Last modified on 08 March, 2017
| Supported protocols | Database |
This documentation applies to the following versions of Splunk Stream™: 7.1.0, 7.1.1
Download manual
Feedback submitted, thanks!