Splunk App for Stream supports capture of these Email protocols on Linux, Mac, and Windows. For more information see Configure Streams in the Splunk App for Stream User Manual.
IMAP
INTERNET MESSAGE ACCESS PROTOCOL RFC 3501
Name | Description | Term |
---|---|---|
src_ip | Client IP Address | flow.c-ip |
dest_ip | Server IP Address | flow.s-ip |
src_port | Client port number | flow.c-port |
dest_port | Server port number | flow.s-port |
src_mac | Client packets MAC address in hexadecimal format | flow.c-mac |
dest_mac | Server packets MAC address in hexadecimal format | flow.s-mac |
packets_in | The total number of packets sent from client to server | flow.cs-packets |
packets_out | The total number of packets sent from server to client | flow.sc-packets |
ack_packets_in | The number of acknowledgement packets sent from client to server | flow.cs-ack-packets |
ack_packets_out | The number of acknowledgement packets sent from server to client | flow.sc-ack-packets |
missing_packets_in | The number of missing packet gaps detected within the request | flow.cs-missing-packets |
missing_packets_out | The number of missing packet gaps detected within the response | flow.sc-missing-packets |
duplicate_packets_in | The number of duplicate packets sent from client to server | flow.cs-duplicate-packets |
duplicate_packets_out | The number of duplicate packets sent from server to client | flow.sc-duplicate-packets |
data_packets_in | The number of data packets sent from client to server | flow.cs-data-packets |
data_packets_out | The number of data packets sent from server to client | flow.sc-data-packets |
bytes_in | The number of bytes sent from client to server | flow.cs-bytes |
bytes_out | The number of bytes sent from server to client | flow.sc-bytes |
bytes | The total number of bytes transferred | flow.bytes |
time_taken | Number of microseconds that it took to complete a flow event, from the end user's perspective | flow.time-taken |
request_time | Number of microseconds that it took the client to send a request | flow.cs-send-time |
request_ack_time | Number of microseconds that it took the server to acknowledge receipt of the request | flow.cs-ack-time |
reply_time | Number of microseconds that it took the server to start replying to a request | flow.sc-reply-time |
response_time | Number of microseconds that it took the server to send a response | flow.sc-send-time |
response_ack_time | Number of microseconds that it took the client to acknowledge receipt of the response | flow.sc-ack-time |
ssl_time | Number of microseconds that it took to negotiate an SSL handshake | flow.ssl-time |
ssl_version | SSL protocol version used for encryption, or undefined if not encrypted | flow.ssl-version |
data_center_time | Number of microseconds from the last request packet to the last response packet | flow.data-center-time |
client_rtt | Average round trip time in microseconds from the client to the point of capture | flow.cp-rtt |
server_rtt | Average round trip time in microseconds from the server to the point of capture | flow.ps-rtt |
client_rtt_sum | Sum of all round trip time measurements from the client to the point of capture | flow.cp-rtt-sum |
server_rtt_sum | Sum of all round trip time measurements from the server to the point of capture | flow.ps-rtt-sum |
client_rtt_packets | Number of round trip measurements from the client to the point of capture | flow.cp-rtt-packets |
server_rtt_packets | Number of round trip measurements from the server to the point of capture | flow.ps-rtt-packets |
refused | Number of requests that were refused by the server | flow.refused |
canceled | Number of HTTP responses that were canceled early by the client | flow.canceled |
connection | TCP session server endpoint (IP address and TCP port) | flow.connection |
tcp_status | TCP handshake status (0=OK, 1=RESET, 2=IGNORED) | flow.tcp-status |
protocol | Level 7 protocol name (http, ftp, etc.) | flow.protocol |
transport | Transport level protocol | flow.transport |
attach_content_decoded | Decoded attached files content | email.attach-content-decoded |
attach_filename | Attachment name | email.attach-filename |
attach_transfer_encoding | Contains the encoding of the attached content | email.attach-transfer-encoding |
attach_type | Content type of the sent attached file | email.attach-type |
content_transfer_encoding | Transfer-encoding used on the e-mail message | email.content-transfer-encoding |
date | Message date | email.date |
email_index | Index of the request which the email is attached to | email.email-index |
greeting | Contains the greeting message of the server | email.greeting-message |
login | User's login string | email.login |
login_server | Concatenated login and server: <login>@<server>, string | email.login-server |
method | Command sent by the client | email.method |
mime_type | Content-type of the e-mail message | email.mime-type |
msg_id | Unique identifier for the e-mail message | email.message-id |
received_by_ip | Contains the IP address of the receiving host name | email.received-by-ip |
received_by_name | Contains the receiving host name | email.received-by-name |
received_date | Date when the transport service relayed the message | email.received-date |
received_from_ip | Contains the IP address of the sending host name | email.received-from-ip |
received_from_name | Contains the sending host name | email.received-from-name |
received_server_agent | Contains the name of the sever agent | email.received-server-agent |
received_with | Contains the software used to send the email | email.received-with |
receiver | Full address of email receiver (including cc and bcc receivers) | email.receiver |
receiver_alias | Name of email receiver (included cc and bcc receivers) | email.receiver-alias |
receiver_email | E-mail address of the message recipient | email.receiver-email |
receiver_type | Type of the email receiver | email.receiver-type |
reply_to | Email address to use in a reply for this message | email.reply-to |
sender | Full address of email sender (alias followed by email address) | email.sender |
sender_alias | Name of the email sender | email.sender-alias |
sender_email | Email address of the email sender | email.sender-email |
server_response | The return code of the server | email.server-response |
subject | Subject of the e-mail message | email.subject |
useragent | Name of the client software used | email.user-agent |
MAPI
Messaging Application Programming Interface
Name | Description | Term |
---|---|---|
action | Indicates if the message is read (Read) or composed (Compose) | email.action |
attach_filename | Attachment file name | email.attach-filename |
reply_to | Attachment file size | email.attach-size |
contact_alias | Contains the name of the sever agent | email.contact-alias |
contact_email | Email address of the email receiver | email.contact-email |
content | Content of the message | email.content |
importance | Indicates if the email has been marked by the user | email.importance |
login | User's login string | email.login |
login_server | Concatenated login and server: <login>@<server>, string | email.login-server |
msglist_receiver | Full address of email receiver in a message list | email.msglist-receiver |
receiver_email | Contains the IP address of the sending host name | email.msglist-receiver-email |
msglist_sender | Full address of email sender (alias and email address) (UTF-16) | email.msglist-sender |
msglist_size | Message size in a message list | email.msglist-size |
msglist_subject | Message subject in a message list (UTF-16) | email.msglist-subject |
receiver | Full address of email receiver (including cc and bcc receivers) | email.receiver |
receiver_alias | Name of email receiver (included cc and bcc receivers) | email.receiver-alias |
receiver_email | E-mail address of the message recipient | email.receiver-email |
sender | Full address of email sender (alias followed by email address) | email.sender |
sender_alias | Name of the email sender | email.sender-alias |
sender_email | Email address of the email sender | email.sender-email |
subject | Subject of the e-mail message | email.subject |
bytes | The total number of bytes transferred | flow.bytes |
src_ip | Client IP Address | flow.c-ip |
src_mac | Client packets MAC address in hexadecimal format | flow.c-mac |
src_port | Client port number | flow.c-port |
canceled | Number of HTTP responses that were canceled early by the client | flow.canceled |
connection | TCP session server endpoint (IP address and TCP port) | flow.connection |
client_rtt | Average round trip time in microseconds from the client to the point of capture | flow.cp-rtt |
client_rtt_packets | Number of round trip measurements from the client to the point of capture | flow.cp-rtt-packets |
client_rtt_sum | Sum of all round trip time measurements from the client to the point of capture | flow.cp-rtt-sum |
ack_packets_in | The number of acknowledgement packets sent from client to server | flow.cs-ack-packets |
request_ack_time | Number of microseconds that it took the server to acknowledge receipt of the request | flow.cs-ack-time |
bytes_in | The number of bytes sent from client to server | flow.cs-bytes |
data_packets_in | The number of data packets sent from client to server | flow.cs-data-packets |
duplicate_packets_in | The number of duplicate packets sent from client to server | flow.cs-duplicate-packets |
missing_packets_in | The number of missing packet gaps detected within the request | flow.cs-missing-packets |
packets_in | The total number of packets sent from client to server | flow.cs-packets |
request_time | Number of microseconds that it took the client to send a request | flow.cs-send-time |
server_rtt | Average round trip time in microseconds from the server to the point of capture | flow.ps-rtt |
server_rtt_packets | Number of round trip measurements from the server to the point of capture | flow.ps-rtt-packets |
server_rtt_sum | Sum of all round trip time measurements from the server to the point of capture | flow.ps-rtt-sum |
refused | Number of requests that were refused by the server | flow.refused |
dest_ip | Server IP Address | flow.s-ip |
dest_mac | Server packets MAC address in hexadecimal format | flow.s-mac |
dest_port | Server port number | flow.s-port |
ack_packets_out | The number of acknowledgement packets sent from server to client | flow.sc-ack-packets |
response_ack_time | Number of microseconds that it took the client to acknowledge receipt of the response | flow.sc-ack-time |
bytes_out | The number of bytes sent from server to client | flow.sc-bytes |
data_packets_out | The number of data packets sent from server to client | flow.sc-data-packets |
duplicate_packets_out | The number of duplicate packets sent from server to client | flow.sc-duplicate-packets |
missing_packets_out | The number of missing packet gaps detected within the response | flow.sc-missing-packets |
packets_out | The total number of packets sent from server to client | flow.sc-packets |
reply_time | Number of microseconds that it took the server to start replying to a request | flow.sc-reply-time |
response_time | Number of microseconds that it took the server to send a response | flow.sc-send-time |
ssl_time | Number of microseconds that it took to negotiate an SSL handshake | flow.ssl-time |
ssl_version | SSL protocol version used for encryption, or undefined if not encrypted | flow.ssl-version |
tcp_status | TCP handshake status (0=OK, 1=RESET, 2=IGNORED) | flow.tcp-status |
time_taken | Number of microseconds that it took to complete a flow event, from the end user's perspective | flow.time-taken |
transport | Transport level protocol | flow.transport |
auth_type | Authentication type used | mapi.authtype |
date | Message date number of 100-nanosecond intervals since January 1, 1601 | mapi.date |
domain | Network domain of the client | mapi.domain |
email_type | email type | mapi.email-type |
host | Clients host name | mapi.host |
received_with | Sensibility of the message | mapi.msg-sensibility |
size | Message size | mapi.size |
POP3
Post Office Protocol-Version 3 RFC 5034
Name | Description | Term |
---|---|---|
src_ip | Client IP Address | flow.c-ip |
dest_ip | Server IP Address | flow.s-ip |
src_port | Client port number | flow.c-port |
dest_port | Server port number | flow.s-port |
src_mac | Client packets MAC address in hexadecimal format | flow.c-mac |
dest_mac | Server packets MAC address in hexadecimal format | flow.s-mac |
packets_in | The total number of packets sent from client to server | flow.cs-packets |
packets_out | The total number of packets sent from server to client | flow.sc-packets |
ack_packets_in | The number of acknowledgement packets sent from client to server | flow.cs-ack-packets |
ack_packets_out | The number of acknowledgement packets sent from server to client | flow.sc-ack-packets |
missing_packets_in | The number of missing packet gaps detected within the request | flow.cs-missing-packets |
missing_packets_out | The number of missing packet gaps detected within the response | flow.sc-missing-packets |
duplicate_packets_in | The number of duplicate packets sent from client to server | flow.cs-duplicate-packets |
duplicate_packets_out | The number of duplicate packets sent from server to client | flow.sc-duplicate-packets |
data_packets_in | The number of data packets sent from client to server | flow.cs-data-packets |
data_packets_out | The number of data packets sent from server to client | flow.sc-data-packets |
bytes_in | The number of bytes sent from client to server | flow.cs-bytes |
bytes_out | The number of bytes sent from server to client | flow.sc-bytes |
bytes | The total number of bytes transferred | flow.bytes |
time_taken | Number of microseconds that it took to complete a flow event, from the end user's perspective | flow.time-taken |
request_time | Number of microseconds that it took the client to send a request | flow.cs-send-time |
request_ack_time | Number of microseconds that it took the server to acknowledge receipt of the request | flow.cs-ack-time |
reply_time | Number of microseconds that it took the server to start replying to a request | flow.sc-reply-time |
response_time | Number of microseconds that it took the server to send a response | flow.sc-send-time |
response_ack_time | Number of microseconds that it took the client to acknowledge receipt of the response | flow.sc-ack-time |
ssl_time | Number of microseconds that it took to negotiate an SSL handshake | flow.ssl-time |
ssl_version | SSL protocol version used for encryption, or undefined if not encrypted | flow.ssl-version |
data_center_time | Number of microseconds from the last request packet to the last response packet | flow.data-center-time |
client_rtt | Average round trip time in microseconds from the client to the point of capture | flow.cp-rtt |
server_rtt | Average round trip time in microseconds from the server to the point of capture | flow.ps-rtt |
client_rtt_sum | Sum of all round trip time measurements from the client to the point of capture | flow.cp-rtt-sum |
server_rtt_sum | Sum of all round trip time measurements from the server to the point of capture | flow.ps-rtt-sum |
client_rtt_packets | Number of round trip measurements from the client to the point of capture | flow.cp-rtt-packets |
server_rtt_packets | Number of round trip measurements from the server to the point of capture | flow.ps-rtt-packets |
refused | Number of requests that were refused by the server | flow.refused |
canceled | Number of HTTP responses that were canceled early by the client | flow.canceled |
connection | TCP session server endpoint (IP address and TCP port) | flow.connection |
tcp_status | TCP handshake status (0=OK, 1=RESET, 2=IGNORED) | flow.tcp-status |
protocol | Level 7 protocol name (http, ftp, etc.) | flow.protocol |
transport | Transport layer protocol (udp or tcp) | flow.transport |
attach_content_decoded | Decoded attached files content | email.attach-content-decoded |
attach_disposition | Attached file disposition, inline vs attachment | email.attach-disposition |
attach_filename | Attachment name | email.attach-filename |
attach_transfer_encoding | Contains the encoding of the attached content | email.attach-transfer-encoding |
attach_type | Content type of the sent attached file | email.attach-type |
content_body | Data containing body | email.content-body |
content_transfer_encoding | Transfer-encoding used on the e-mail message | email.content-transfer-encoding |
date | Message date | email.date |
email_index | Index of the request which the email is attached to | email.email-index |
greeting | Contains the greeting message of the server | email.greeting-message |
login | User's login string | email.login |
login_servier | Concatenated login and server: <login>@<server>, string | email.login-server |
method | Command sent by the client | email.method |
mime_type | Content-type of the e-mail message | email.mime-type |
msg_id | Unique identifier for the e-mail message | email.message-id |
password | User's password string | email.password |
received_by_ip | Contains the IP address of the receiving host name | email.received-by-ip |
received_by_name | Contains the receiving host name | email.received-by-name |
received_date | Date when the transport service relayed the message | email.received-date |
received_from_ip | Contains the IP address of the sending host name | email.received-from-ip |
received_from_name | Contains the sending host name | email.received-from-name |
received_server_agent | Contains the name of the sever agent | email.received-server-agent |
received_with | Contains the software used to send the email | email.received-with |
receiver | Full address of email receiver (including cc and bcc receivers) | email.receiver |
receiver_alias | Name of email receiver (included cc and bcc receivers) | email.receiver-alias |
receiver_email | E-mail address of the message recipient | email.receiver-email |
receiver_type | Type of the email receiver | email.receiver-type |
reply_to | Email address to use in a reply for this message | email.reply-to |
sender | Full address of email sender (alias followed by email address) | email.sender |
sender_alias | Name of the email sender | email.sender-alias |
sender_email | Email address of the email sender | email.sender-email |
server_response | The return code of the server | email.server-response |
subject | Subject of the e-mail message | email.subject |
useragent | Name of the client software used | email.user-agent |
SMTP
Simple Mail Transfer Protocol RFC 2821
Name | Description | Term |
---|---|---|
src_ip | Client IP Address | flow.c-ip |
dest_ip | Server IP Address | flow.s-ip |
src_port | Client port number | flow.c-port |
dest_port | Server port number | flow.s-port |
src_mac | Client packets MAC address in hexadecimal format | flow.c-mac |
dest_mac | Server packets MAC address in hexadecimal format | flow.s-mac |
packets_in | The total number of packets sent from client to server | flow.cs-packets |
packets_out | The total number of packets sent from server to client | flow.sc-packets |
ack_packets_in | The number of acknowledgement packets sent from client to server | flow.cs-ack-packets |
ack_packets_out | The number of acknowledgement packets sent from server to client | flow.sc-ack-packets |
missing_packets_in | The number of missing packet gaps detected within the request | flow.cs-missing-packets |
missing_packets_out | The number of missing packet gaps detected within the response | flow.sc-missing-packets |
duplicate_packets_in | The number of duplicate packets sent from client to server | flow.cs-duplicate-packets |
duplicate_packets_out | The number of duplicate packets sent from server to client | flow.sc-duplicate-packets |
data_packets_in | The number of data packets sent from client to server | flow.cs-data-packets |
data_packets_out | The number of data packets sent from server to client | flow.sc-data-packets |
bytes_in | The number of bytes sent from client to server | flow.cs-bytes |
bytes_out | The number of bytes sent from server to client | flow.sc-bytes |
bytes | The total number of bytes transferred | flow.bytes |
time_taken | Number of microseconds that it took to complete a flow event, from the end user's perspective | flow.time-taken |
request_time | Number of microseconds that it took the client to send a request | flow.cs-send-time |
request_ack_time | Number of microseconds that it took the server to acknowledge receipt of the request | flow.cs-ack-time |
reply_time | Number of microseconds that it took the server to start replying to a request | flow.sc-reply-time |
response_time | Number of microseconds that it took the server to send a response | flow.sc-send-time |
response_ack_time | Number of microseconds that it took the client to acknowledge receipt of the response | flow.sc-ack-time |
ssl_time | Number of microseconds that it took to negotiate an SSL handshake | flow.ssl-time |
ssl_version | SSL protocol version used for encryption, or undefined if not encrypted | flow.ssl-version |
data_center_time | Number of microseconds from the last request packet to the last response packet | flow.data-center-time |
client_rtt | Average round trip time in microseconds from the client to the point of capture | flow.cp-rtt |
server_rtt | Average round trip time in microseconds from the server to the point of capture | flow.ps-rtt |
client_rtt_sum | Sum of all round trip time measurements from the client to the point of capture | flow.cp-rtt-sum |
server_rtt_sum | Sum of all round trip time measurements from the server to the point of capture | flow.ps-rtt-sum |
client_rtt_packets | Number of round trip measurements from the client to the point of capture | flow.cp-rtt-packets |
server_rtt_packets | Number of round trip measurements from the server to the point of capture | flow.ps-rtt-packets |
refused | Number of requests that were refused by the server | flow.refused |
canceled | Number of HTTP responses that were canceled early by the client | flow.canceled |
connection | TCP session server endpoint (IP address and TCP port) | flow.connection |
tcp_status | TCP handshake status (0=OK, 1=RESET, 2=IGNORED) | flow.tcp-status |
protocol | Level 7 protocol name (http, ftp, etc.) | flow.protocol |
transport | Transport layer protocol (udp or tcp) | flow.transport |
attach_content_decoded | Decoded attached files content | email.attach-content-decoded |
attach_disposition | Attached file disposition, inline vs attachment | email.attach-disposition |
attach_filename | Attachment name | email.attach-filename |
attach_size | Attachment MIME size | email.attach-size |
attach_transfer_encoding | Contains the encoding of the attached content | email.attach-transfer-encoding |
attach_type | Content type of the sent attached file | email.attach-type |
content_body | Data containing body | email.content-body |
content_transfer_encoding | Transfer-encoding used on the e-mail message | email.content-transfer-encoding |
date | Message date | email.date |
email_index | Index of the request which the email is attached to | email.email-index |
greeting | Contains the greeting message of the server | email.greeting-message |
login | User's login string | email.login |
method | Command sent by the client | email.method |
mime_type | Content-type of the e-mail message | email.mime-type |
msg_id | Unique identifier for the e-mail message | email.message-id |
password | User's password string | email.password |
received_by_ip | Contains the IP address of the receiving host name | email.received-by-ip |
received_by_name | Contains the receiving host name | email.received-by-name |
received_date | Date when the transport service relayed the message | email.received-date |
received_from_ip | Contains the IP address of the sending host name | email.received-from-ip |
received_from_name | Contains the sending host name | email.received-from-name |
received_server_agent | Contains the name of the sever agent | email.received-server-agent |
received_with | Contains the software used to send the email | email.received-with |
receiver | Full address of email receiver (including cc and bcc receivers) | email.receiver |
receiver_alias | Name of email receiver (included cc and bcc receivers) | email.receiver-alias |
receiver_email | E-mail address of the message recipient | email.receiver-email |
receiver_type | Type of the email receiver | email.receiver-type |
reply_to | Email address to use in a reply for this message | email.reply-to |
sender | Full address of email sender (alias followed by email address) | email.sender |
sender_alias | Name of the email sender | email.sender-alias |
sender_email | Email address of the email sender | email.sender-email |
server_response | The return code of the server | email.server-response |
subject | Subject of the e-mail message | email.subject |
useragent | Name of the client software used | email.user-agent |
duration | Duration of the SMTP session in seconds | smtp.duration |
receiver_rcpt_to | Recipient's email address (used by RCPT TO method) | smtp.receiver-rcpt-to |
response_code | Return code | smtp.response-code |
sender_mail_from | Sender's email address (used by MAIL FROM method) | smtp.sender-mail-from |
sender_server | Contains the name of the used smtp server | smtp.sender-server |
server_agent | The software name used by the email server | smtp.server-agent |
start_time | Starting time of SMTP session | smtp.start-time |
stop_time | Ending time of SMTP session | smtp.stop-time |
Database | Flow Protocols |
This documentation applies to the following versions of Splunk Stream™: 7.1.0, 7.1.1
Feedback submitted, thanks!