This documentation does not apply to the most recent version of Splunk Stream™.
For documentation on the most recent version, go to the latest release.
File Transfer
Splunk App for Stream supports capture of these File Transfer protocols on Linux, Mac, and Windows. For more information see Configure Streams in the Splunk App for Stream User Manual.
FTP
File Transfer Protocol RFC 959
| Name | Description | Term |
|---|---|---|
| src_ip | Client IP Address | flow.c-ip |
| dest_ip | Server IP Address | flow.s-ip |
| src_port | Client port number | flow.c-port |
| dest_port | Server port number | flow.s-port |
| src_mac | Client packets MAC address in hexadecimal format | flow.c-mac |
| dest_mac | Server packets MAC address in hexadecimal format | flow.s-mac |
| packets_in | The total number of packets sent from client to server | flow.cs-packets |
| packets_out | The total number of packets sent from server to client | flow.sc-packets |
| ack_packets_in | The number of acknowledgement packets sent from client to server | flow.cs-ack-packets |
| ack_packets_out | The number of acknowledgement packets sent from server to client | flow.sc-ack-packets |
| missing_packets_in | The number of missing packet gaps detected within the request | flow.cs-missing-packets |
| missing_packets_out | The number of missing packet gaps detected within the response | flow.sc-missing-packets |
| duplicate_packets_in | The number of duplicate packets sent from client to server | flow.cs-duplicate-packets |
| duplicate_packets_out | The number of duplicate packets sent from server to client | flow.sc-duplicate-packets |
| data_packets_in | The number of data packets sent from client to server | flow.cs-data-packets |
| data_packets_out | The number of data packets sent from server to client | flow.sc-data-packets |
| bytes_in | The number of bytes sent from client to server | flow.cs-bytes |
| bytes_out | The number of bytes sent from server to client | flow.sc-bytes |
| bytes | The total number of bytes transferred | flow.bytes |
| time_taken | Number of microseconds that it took to complete a flow event, from the end user's perspective | flow.time-taken |
| request_time | Number of microseconds that it took the client to send a request | flow.cs-send-time |
| request_ack_time | Number of microseconds that it took the server to acknowledge receipt of the request | flow.cs-ack-time |
| reply_time | Number of microseconds that it took the server to start replying to a request | flow.sc-reply-time |
| response_time | Number of microseconds that it took the server to send a response | flow.sc-send-time |
| response_ack_time | Number of microseconds that it took the client to acknowledge receipt of the response | flow.sc-ack-time |
| ssl_time | Number of microseconds that it took to negotiate an SSL handshake | flow.ssl-time |
| ssl_version | SSL protocol version used for encryption, or undefined if not encrypted | flow.ssl-version |
| data_center_time | Number of microseconds from the last request packet to the last response packet | flow.data-center-time |
| client_rtt | Average round trip time in microseconds from the client to the point of capture | flow.cp-rtt |
| server_rtt | Average round trip time in microseconds from the server to the point of capture | flow.ps-rtt |
| client_rtt_sum | Sum of all round trip time measurements from the client to the point of capture | flow.cp-rtt-sum |
| server_rtt_sum | Sum of all round trip time measurements from the server to the point of capture | flow.ps-rtt-sum |
| client_rtt_packets | Number of round trip measurements from the client to the point of capture | flow.cp-rtt-packets |
| server_rtt_packets | Number of round trip measurements from the server to the point of capture | flow.ps-rtt-packets |
| refused | Number of requests that were refused by the server | flow.refused |
| canceled | Number of HTTP responses that were canceled early by the client | flow.canceled |
| connection | TCP session server endpoint (IP address and TCP port) | flow.connection |
| tcp_status | TCP handshake status (0=OK, 1=RESET, 2=IGNORED) | flow.tcp-status |
| protocol | Level 7 protocol name (http, ftp, etc.) | flow.protocol |
| transport | Transport layer protocol (udp or tcp) | flow.transport |
| login | User's login string | ftp.login |
| loadway | The file transfer way (Upload vs Download) | ftp.loadway |
| method | Contains the FTP command sent | ftp.method |
| filename | Name of the transferred file | ftp.filename |
| filesize | Size (byte) of the transferred file | ftp.filesize |
| data_port | Data connection TCP port | ftp.data-port |
| content_type | The content type of transferred file | ftp.content-type |
| greeting | First line of the server banner | ftp.greeting-message |
| offset | Start offset of the file transfer | ftp.offset |
| password | User's password string | ftp.password |
| reply_code | FTP server reply code | ftp.reply-code |
| reply_content | FTP server response message content | ftp.reply-content |
| inherent_parent | Parent inheritance key, stored in an hashtable and kept until parent session expiration. | ftp.inherent-parent |
| transfer_duration | Transfer duration | ftp.transfer-duration |
| ftp_index | Identifier of the request and response in a FTP flow. | ftp.index |
HTTP
Hypertext Transfer Protocol RFC 7230
| Name | Description | Term |
|---|---|---|
| bytes | Total number of bytes transferred | flow.bytes |
| bytes_in | Number of bytes sent from client to server | flow.cs-bytes |
| bytes_out | Number of bytes sent from server to client | flow.sc-bytes |
| cookie | Cookie HTTP request header | http.cookie |
| dest_ip | IP address of server in dot-quad notation | flow.s-ip |
| dest_mac | Server packets MAC address in hexadecimal format | flow.s-mac |
| dest_port | Server port number | flow.s-port |
| form_data | A url-encoded string represent | flow.s-ip |
| http_comment | The HTTP status message returned to the client | http.comment |
| http_content_length | HTTP response content length | http.content-length |
| http_content_type | The Content-Type HTTP response header | http.content-type |
| http_method | The HTTP method of the request (GET, POST, etc.) | http.method |
| http_referrer | The Referer HTTP request header | http.referer |
| http_user_agent | The User-Agent HTTP request header | http.useragent |
| server | The Server HTTP response header | http.server |
| site | The Host HTTP request header | http.host |
| src_ip | IP address of the client in dot-quad notation. Contains the value of X-Forwarded-For header or equal to flow.c-ip is X-Forwarded-For is not set. | http.c-ip |
| src_mac | Client packets MAC address in hexadecimal format | flow.c-mac |
| src_port | Client port number | flow.c-port |
| ssl_version | SSL protocol version used for encryption, or undefined if not encrypted | flow.ssl-version |
| status | The HTTP status code returned to the client | http.status |
| time_taken | Number of microseconds that it took to complete a flow event, from the end user's perspective | flow.time-taken |
| title | Page title, extracted from HTML content | http.page-title |
| transport | Transport layer protocol (udp or tcp) | flow.transport |
| uri_parm | The parameters portion of the requested resource | http.uri-parm |
| uri_path | The requested resource (excluding query) | http.uri-stem |
| uri_query | The query portion of the requested resource | http.uri-query |
| accept | The Accept HTTP request header | http.accept |
| ack_packets_in | The number of acknowledgement packets sent from client to server | flow.cs-ack-packets |
| ack_packets_out | The number of acknowledgement packets sent from server to client | flow.sc-ack-packets |
| allow | The Allow HTTP response header | http.allow |
| c_ip | IP address of the client in dot-quad notation | flow.c-ip |
| cached | 1 if the response was cached, 0 if it was not | http.cached |
| canceled | Number of HTTP responses that were canceled early by the client | flow.canceled |
| client_rtt | Average round trip time in microseconds from the client to the point of capture | flow.cp-rtt |
| client_rtt_packets | Number of round trip measurements from the client to the point of capture | flow.cp-rtt-packets |
| client_rtt_sum | Sum of all round trip time measurements from the client to the point of capture | flow.cp-rtt-sum |
| connection | TCP session server endpoint (IP address and TCP port) | flow.connection |
| content_location | The Content-Location HTTP response header | http.content-location |
| cs_content_length | HTTP request content length | http.cs-content-length |
| cs_content_type | The Content-Type HTTP request header | http.cs-content-type |
| cs_version | The protocol version that the client used | http.cs-version |
| data_center_time | Number of microseconds from the last request packet to the last response packet | flow.data-center-time |
| data_packets_in | The number of data packets sent from client to server | flow.cs-data-packets |
| data_packets_out | The number of data packets sent from server to client | flow.sc-data-packets |
| dest_content | All HTTP payload content sent from server to client | http.sc-content |
| dest_headers | All HTTP headers sent from server to client | http.sc-headers |
| duplicate_packets_in | The number of duplicate packets sent from client to server | flow.cs-duplicate-packets |
| duplicate_packets_out | The number of duplicate packets sent from server to client | flow.sc-duplicate-packets |
| location | The Location HTTP response header | http.location |
| missing_packets_in | The number of missing packet gaps detected within the request | flow.cs-missing-packets |
| missing_packets_out | The number of missing packet gaps detected within the response | flow.sc-missing-packets |
| packets_in | The total number of packets sent from client to server | flow.cs-packets |
| packets_out | The total number of packets sent from server to client | flow.sc-packets |
| protocol | Level 7 protocol name (http, ftp, etc.) | flow.protocol |
| refused | Number of requests that were refused by the server | flow.refused |
| reply_time | Number of microseconds that it took the server to start replying to a request | flow.sc-reply-time |
| request | The request line exactly as it came from the client | http.request |
| request_ack_time | Number of microseconds that it took the server to acknowledge receipt of the request | flow.cs-ack-time |
| request_time | Number of microseconds that it took the client to send a request | flow.cs-send-time |
| response_ack_time | Number of microseconds that it took the client to acknowledge receipt of the response | flow.sc-ack-time |
| response_time | Number of microseconds that it took the server to send a response | flow.sc-send-time |
| server_rtt | Average round trip time in microseconds from the server to the point of capture | flow.ps-rtt |
| server_rtt_packets | Number of round trip measurements from the server to the point of capture | flow.ps-rtt-packets |
| server_rtt_sum | Sum of all round trip time measurements from the server to the point of capture | flow.ps-rtt-sum |
| set_cookie | The Set-Cookie HTTP response header | http.set-cookie |
| src_content | All HTTP payload content sent from client to server | http.cs-content |
| src_headers | All HTTP headers sent from client to server | http.cs-headers |
| ssl_time | Number of microseconds that it took to negotiate an SSL handshake | flow.ssl-time |
| cp_status | TCP handshake status (0=OK, 1=RESET, 2=IGNORED) | flow.tcp-status |
| transfer_encoding | The Transfer-Encoding HTTP response header | http.transfer-encoding |
| uri | The requested resource (including query) | http.uri |
| user | The username as which the user has authenticated himself | http.authuser |
Last modified on 08 March, 2017
| File Service | Infrastructure |
This documentation applies to the following versions of Splunk Stream™: 7.1.0, 7.1.1
Download manual
Feedback submitted, thanks!