This documentation does not apply to the most recent version of Splunk Stream™.
For documentation on the most recent version, go to the latest release.
Flow Protocols
NetFlow
| Name | Description | Term |
|---|---|---|
| app | Specifies the name of an application | netflow.app-name |
| app_tag | Application Id | netflow.app-tag |
| bgp_nxt_hop_ip | IP address of the next (adjacent) BGP hop | netflow.bgp-nexthop-address |
| bytes | Total number of Layer 3 bytes in the flow | netflow.bytes |
| bytes_in | Incoming counter for number of bytes associated with an IP Flow | netflow.cs-bytes |
| bytes_out | Outgoing counter for number of bytes associated with an IP Flow | netflow.sc-bytes |
| channel | Identifier of the 802.11 (Wi-Fi) channel | netflow.wlanChannelId |
| dest_ip | Destination address of flow | flow.s-ip |
| dest_ip_prefix | Destination address prefix | netflow.destinationIPPrefix |
| dest_mac | Server packets MAC address in hexadecimal format | flow.s-mac |
| dest_mask | Number of contiguous bits that are relevant in the destination ip prefix | netflow.dest-mask |
| dest_port | Destination port number of flow | flow.s-port |
| dest_sysnum | System number of destination for this flow | netflow.s-sysnum |
| drop_octet_count | Number of octets since the previous report (if any) of this Flow dropped by packet treatment | netflow.droppedOctetDeltaCount |
| drop_octet_total_count | Number of octets of this Flow dropped by packet treatment | netflow.droppedOctetTotalCount |
| drop_packet_count | Number of packets since the previous report (if any) of this Flow dropped by packet treatment | netflow.droppedPacketDeltaCount |
| drop_pkt_total_count | Number of packets of this Flow dropped by packet treatment | netflow.droppedPacketTotalCount |
| egress_broadcast_pkt_count | Total number of outgoing unicast packets | netflow.egressBroadcastPacketTotalCount |
| egress_interface | Networking device's physical interface (example, a switch port) where packets of this flow are being sent | netflow.egressPhysicalInterface |
| egress_itf_type | Type of interface where packets of this Flow are being sent | netflow.egressInterfaceType |
| egress_unicast_pkt_count | Total number of outgoing unicast packets | netflow.egressUnicastPacketTotalCount |
| egress_vlan | Virtual LAN identifier associated with egress interface | netflow.dest-vlan |
| event_name | Name of event | flow.event-name |
| export_process_id | Identifier of an Exporting Process that is unique per IPFIX Device | netflow.exportingProcessId |
| exporter_ip | IP address of device that generated flow | netflow.exporterIPAddress |
| firewall_event | Indicates a firewall event | netflow.firewallEvent |
| flow_dir | The direction of the Flow at observation point | flow.direction |
| flow_duration_micro | The difference in time between the first observed packet of this Flow and the last observed packet of this Flow. | netflow.flowDurationMicroseconds |
| flow_duration_milli | The difference in time between the first observed packet of this Flow and the last observed packet of this Flow | netflow.flowDurationMilliseconds |
| flow_end_reason | Reason for Flow termination | flow.end-reason |
| flow_end_time | The absolute timestamp of the last packet of this Flow. | time.epoch-time-end |
| flow_end_time_micro | The absolute timestamp of the last packet of this Flow. | netflow.flowEndMicroseconds |
| flow_end_time_milli | The absolute timestamp of the last packet of this Flow. | netflow.flowEndMilliseconds |
| flow_end_time_nano | The absolute timestamp of the last packet of this Flow. | netflow.flowEndNanoseconds |
| flow_id | Identifier of a Flow that is unique within an Observation Domain | netflow.flowId |
| flow_label_ipv6 | IPv6 Flow Label field | flow.ipv6-flow-label |
| flow_start_time | The absolute timestamp of the first packet of this Flow | time.epoch-time |
| flow_start_time_micro | The absolute timestamp of the first packet of this Flow | netflow.flowStartMicroseconds |
| flow_start_time_milli | The absolute timestamp of the first packet of this Flow | netflow.flowStartMilliseconds |
| flow_start_time_nano | The absolute timestamp of the first packet of this Flow | netflow.flowStartNanoseconds |
| fwd_status | Forwarding status of the flow | netflow.forward-status |
| gre_key | GRE key, identifying an individual traffic flow within a tunnel | netflow.greKey |
| ignored_octet_count | Total number of octets that the Metering Process did not process since the Metering Process (re-)initialization | netflow.ignoredOctetTotalCount |
| ignored_pkt_count | Total number of observed IP packets that the Metering Process did not process since the Metering Process (re-)initialization | netflow.ignoredPacketTotalCount |
| ingress_broadcast_pkt_count | Total number of incoming broadcast packets | netflow.ingressBroadcastPacketTotalCount |
| ingress_interface | Networking device's physical interface (example, a switch port) where packets of this flow are being received | netflow.ingressPhysicalInterface |
| ingress_itf_type | Type of interface where packets of this Flow are being received | netflow.ingressInterfaceType |
| ingress_multicast_pkt_count | Total number of incoming multicast packets | netflow.ingressMulticastPacketTotalCount |
| ingress_unicast_pkt_count | Total number of incoming unicast packets | netflow.ingressUnicastPacketTotalCount |
| ingress_vlan | Virtual LAN identifier associated with ingress interface | netflow.src-vlan |
| input_snmpidx | SNMP index of input interface for this flow | netflow.input-snmpidx |
| interface_name | Short name uniquely describing an interface | netflow.if-name |
| ip_frag_flags | Fragmentation properties indicated by flags | ip.fragment-flags |
| ip_frag_id | Value of the Identification field in the IP packet header | ip.id |
| ipsec_spi | IPSec Security Parameters Index (SPI) | netflow.IPSecSPI |
| is_encrypted | Specifies if Application ID is an encrypted networking protocol | netflow.encryptedTechnology |
| is_p2p | Specifies if Application ID is based on peer-to-peer technology | netflow.p2pTechnology |
| is_tunnel | Specifies if Application ID is used as a tunnel technology | netflow.tunnelTechnology |
| layer2_segment_id | Identifier of a layer 2 network segment in an overlay network | netflow.layer2SegmentId |
| linecard_id | Identifier of a line card that is unique per IPFIX Device hosting an Observation Point | netflow.lineCardId |
| max_ttl | Max TTL value observed for any packet in this Flow | netflow-max-ttl |
| metering_process_id | Identifier of a Metering Process that is unique per IPFIX Device | netflow.meteringProcessId |
| min_ttl | Minimum TTL value observed for any packet in this Flow | netflow-min-ttl |
| mpls_top_label_type | Control protocol that allocated the top-of-stack label | netflow.mpls-top-label-type |
| msg_md5_chksum | MD5 checksum of the IPFIX Message containing this record | netflow.messageMD5Checksum |
| multicast_flags | Flags to indicate multicast | netflow.isMulticast |
| multicast_out_bytes | Outgoing multicast bytes | netflow.multicast-out-bytes |
| multicast_out_pkts | Outgoing multicast packets | netflow.multicast-out-packets |
| name | desc | term |
| nat_event | Indicates a NAT event | netflow.natEvent |
| nat_type | Type of NAT treatment | netflow.natType |
| netflow_elements | Key Value pairs | netflow.elements |
| netflow_version | Netflow Version | netflow.version |
| nexthop_addr | Address of the next hop | netflow.nexthop-address |
| not_sent_flow_count | Total number of Flow Records dropped by the Metering Process or by the Exporting Process instead of being sent to the Collecting Process | netflow.notSentFlowTotalCount |
| not_sent_octet_count | Total number of octets dropped by the Metering Process or by the Exporting Process instead of being sent to the Collecting Process | netflow.notSentOctetTotalCount |
| not_sent_pkt_count | Total number of packets dropped by the Metering Process or by the Exporting Process instead of being sent to the Collecting Process | netflow.notSentPacketTotalCount |
| num_flows | Netflow number of flows | netflow.num-flows |
| observation_domain_id | Identifier of Observation Domain that is locally unique to an Exporting Process | netflow.observationDomainId |
| observation_point_id | Identifier of an Observation Point that is unique per Observation Domain | netflow.observationPointId |
| obsv_flow_count | Total number of Flows observed in the Observation Domain since the Metering Process (re-)initialization | netflow.observedFlowTotalCount |
| output_snmpidx | SNMP index of output interface for this flow | netflow.output-snmpidx |
| packets | Total number of packets in the flow | flow.packets |
| packets_in | Incoming counter for number of packets associated with an IP Flow | netflow.cs-packets |
| packets_out | Outgoing counter for number of packets associated with an IP Flow | netflow.sc-packets |
| perm_cs_bytes | Running byte counter for a permanent flow(incoming) | netflow.perm-bytes |
| perm_cs_pkts | Running packet counter for a permanent flow(incoming) | netflow.perm-packets |
| port_id | Identifier of line port that is unique per IPFIX Device hosting an Observation Point | netflow.portId |
| post_dest_mac | Modified destination mac address caused by a middlebox function | netflow.post-dest-mac |
| post_octet_count | Modified total octet count caused by a middlebox function after the packet passed the Observation Point. | netflow.postOctetTotalCount |
| post_pkt_count | Modified total packet count caused by a middlebox function after the packet passed the Observation Point. | netflow.postPacketTotalCount |
| post_src_mac | Modified source mac address caused by a middlebox function | netflow.post-src-mac |
| protoid | IP protocol type | ip.protoid |
| sampling_pkt_interval | Number of packets that are consecutively sampled | netflow.samplingPacketInterval |
| selector_algorithm | Packet selection methods applied | netflow.selectorAlgorithm |
| selector_id | Unique identifier associated with Selector | netflow.selectorId |
| selector_name | Name of a selector identified by a selectorID | netflow.selectorName |
| seqnumber | Netflow sequence number | netflow.flow-sequence |
| src_ip | Source address of flow | flow.c-ip |
| src_ip_prefix | Source address prefix | netflow.sourceIPPrefix |
| src_mac | Client packets MAC address in hexadecimal format | flow.c-mac |
| src_mask | Number of contiguous bits that are relevant in the source ip prefix | netflow.src-mask |
| src_port | Source port number of flow | flow.c-port |
| src_sysnum | System number of source for this flow | netflow.c-sysnum |
| ssid | Service Set Identifier of 802.11 (Wi-Fi) network | netflow.wlanSSID |
| sta_ip_addr | IP address of a wireless station | netflow.staIPAddress |
| sta_mac_addr | IEEE 802 MAC address of a wireless station (STA). | netflow.staMacAddress |
| sys_init_time_milli | The absolute timestamp of the last (re-)initialization of the IPFIX Device. | netflow.systemInitTimeMilliseconds |
| tcp_ack_num | The acknowledgement number in the TCP header | netflow.tcpAcknowledgementNumber |
| tcp_flags | Cumulative OR of TCP flags for this flow | netflow.tcp-flags |
| tcp_seq_num | The sequence number in the TCP header | netflow.tcpSequenceNumber |
| tcp_total_ack_count | Number of packets of this Flow with TCP ACK flag set | netflow.tcpAckTotalCount |
| tcp_total_fin_count | Number of packets of this Flow with TCP FIN flag set | netflow.tcpFinTotalCount |
| tcp_total_psh_count | Number of packets of this Flow with TCP PSH flag set | netflow.tcpPshTotalCount |
| tcp_total_rst_count | Number of packets of this Flow with TCP RST flag set | netflow.tcpRstTotalCount |
| tcp_total_syn_count | Number of packets of this Flow with TCP SYN flag set | netflow.tcpSynTotalCount |
| tcp_total_urg_count | Number of packets of this Flow with TCP URG flag set | netflow.tcpUrgTotalCount |
| tcp_win_size | The window field in the TCP header | netflow.tcpWindowSize |
| tcp_window_scale | The scale of the window field in the TCP header | netflow.tcpWindowScale |
| template_id | Identifier of a Template that is locally unique within a combination of a Transport session and an Observation Domain | netflow.templateId |
| time_taken | Duration of flow | flow.time-taken |
| top_label_ip | IPv4 address of the system that the MPLS top label will cause this Flow to be forwarded to | netflow.mplsTopLabelIPAddress |
| tos | Type of Service | ip.tos |
| txn_id | Identifies a transaction within a connection | netflow.connectionTransactionId |
| user_name | User name associated with the flow | netflow.userName |
| version | IP version | ip.version |
| virtual_station_itf_id | Instance Identifier of the interface to a Virtual Station | netflow.virtualStationInterfaceId |
| virtual_station_itf_name | Name of the interface to a Virtual Station | netflow.virtualStationInterfaceName |
| virtual_station_name | Name of a Virtual Station | netflow.virtualStationName |
| virtual_station_uuid | Unique Identifier of a Virtual Station | netflow.virtualStationUUID |
| wtp_mac_addr | IEEE 802 MAC address of a wireless access point | netflow.wtpMacAddress |
|}
sFlow
| Name | Description | Term | ||
|---|---|---|---|---|
| code | ICMP message code | icmp.code | ||
| cpu_util_1m | 1 minute average CPU utilization | sflow.cpu_percent_1m | ||
| cpu_util_5m | 5 minute average CPU utilization | sflow.cpu_percent_5m | ||
| cpu_util_5s | 5 second average CPU utilization | sflow.cpu_percent_5s | ||
| dest_charset | Destination character set | sflow.dest-charset | ||
| dest_ip | Destination address of flow | flow.s-ip | ||
| dest_mac | Server packets MAC address in hexadecimal format | flow.s-mac | ||
| dest_path_as_nums | Destination path AS numbers | sflow.dest-path-as-nums | ||
| dest_port | Destination port number of flow | flow.s-port | ||
| dest_sysnum | System number of destination for this flow | netflow.s-sysnum | ||
| dest_user | Destination User | sflow.dest-user | ||
| dest_vlan | VLAN identifier of outgoing frame | netflow.dest-vlan | ||
| dest_vlan_priority | 802.ip priority of outgoing frame | netflow.dest-vlan_priority | ||
| dot12_hc_in_high_priority_octets | Count of the number of octets contained in high priority frames that have been received on this interface | sflow.dot12HCInHighPriorityOctets | ||
| dot12_hc_in_norm_priority_octets | Count of the number of octets contained in normal priority frames that have been received on this interface | sflow.dot12HCInNormPriorityOctets | ||
| dot12_hc_out_high_priority_octets | Count of the number of octets contained in high priority frames that have been send out of this interface | sflow.dot12HCOutHighPriorityOctets | ||
| dot12_in_data_errs | Count of oversize frames received on this interface | sflow.dot12InDataErrors | ||
| dot12_in_high_priority_frames | Count of high priority frames that have been received on this interface | sflow.dot12InHighPriorityFrames | ||
| dot12_in_high_priority_octets | Count of number of octets contained in high priority frames that have been received on this interface | sflow.dot12InHighPriorityOctets | ||
| dot12_in_ipm_errs | Count of number of frames that have been received on this interface with an invalid packet marker and no PMI errors | sflow.dot12InIPMErrors | ||
| dot12_in_norm_priority_frames | Count of normal priority frames that have been received on this interface | sflow.dot12InNormPriorityFrames | ||
| dot12_in_norm_priority_octets | Count of number of octets contained in normal priority frames that have been received on this interface | sflow.dot12InNormPriorityOctets | ||
| dot12_in_null_address_frames | Count of null addressed frames received on this interface | sflow.dot12InNullAddressedFrames | ||
| dot12_in_oversize_frames_errs | Count of oversize frames received on this interface | sflow.dot12InOversizeFrameErrors | ||
| dot12_out_high_priority_frames | Count of high priority frames successfully transmitted out | sflow.dot12OutHighPriorityFrames | ||
| dot12_out_high_priority_octets | Count of octets of high priority frames successfully transmitted out | sflow.dot12OutHighPriorityOctetss | ||
| dot12_transition_trainings | Count of the number of times this interface has entered the training state | sflow.dot12TransitionIntoTrainings | ||
| dot3_stats_alignment_errs | Frames received that are not an integral number of octets in length and do not pass the FCS check | sflow.dot3StatsAlignmentErrors | ||
| dot3_stats_carrier_sense_errors | Number of times that the carrier sense condition was lost or never asserted when attempting to transmit a frame | sflow.dot3StatsCarrierSenseErrors | ||
| dot3_stats_deferred_transmissions | Count of frames for which the first transmission attempt on a particular interface is delayed because the medium is busy | sflow.dot3StatsDeferredTransmissions | ||
| dot3_stats_excessive_collisions | Count of frames for which transmission on a particular interface fails due to excessive collisions | sflow.dot3StatsExcessiveCollisions | ||
| dot3_stats_fcs_errs | Frames received that are an integral number of octets in length but do not pass the FCS check | sflow.dot3StatsFCSErrors | ||
| dot3_stats_frame_too_longs | Count of frames received on a particular interface that exceed the maximum permitted frame size | sflow.dot3StatsFrameTooLongs | ||
| dot3_stats_internal_mac_receive_errors | Count of frames for which reception on a particular interface fails due to an internal MAC sublayer receive error | sflow.dot3StatsInternalMacReceiveErrors | ||
| dot3_stats_internal_mac_tranmit_errors | Count of frames for which transmission on a particular interface fails due to an internal MAC sublayer transmit error | sflow.dot3StatsInternalMacTransmitErrors | ||
| dot3_stats_late_collisions | Number of times that a collision is detected on a particular interface later than 512 bit-times into the transmission of a packet | sflow.dot3StatsLateCollisions | ||
| dot3_stats_multi_collision_frames | Count of transmitted frames on a particular interface for which transmission is inhibited by more than one collision | sflow.dot3StatsMultipleCollisionFrames | ||
| dot3_stats_single_collision_frames | Count of transmitted frames on a particular interface for which transmission is inhibited by exactly one collision | sflow.dot3StatsSingleCollisionFrames | ||
| dot3_stats_sqe_test_errors | Count of times that the SQE TEST ERROR message is generated by the PLS sublayer for a particular interface | sflow.dot3StatsSQETestErrors | ||
| dot3_stats_symbol_errors | Number of times there was an invalid data symbol when a valid carrier was present on a particular interface | sflow.dot3StatsSymbolErrors | ||
| dot5_stats_abort_trans_errors | Count of errors resulting from an abort delimiter while transmitting | sflow.dot5StatsAbortTransErrors | ||
| dot5_stats_ac_errors | Count of errors resulted by station that cannot set the AC bits properly | sflow.dot5StatsACErrors | ||
| dot5_stats_burst_errors | Count of absence of transitions for five half-bit timers | sflow.dot5StatsBurstErrors | ||
| dot5_stats_frame_copy_errs | Count of errors resulting from FS field A bits set to 1 | sflow.dot5StatsFrameCopiedErrors | ||
| dot5_stats_freq_errs | Number of times the interface has detected that the frequency of the incoming signal differs from the expected frequency by more than that specified by the IEEE 802.5 standard | sflow.dot5StatsFreqErrors | ||
| dot5_stats_hard_errs | Number of times this interface has detected an immediately recoverable fatal error | sflow.dot5StatsHardErrors | ||
| dot5_stats_internal_errors | Count of internal errors | sflow.dot5StatsInternalErrors | ||
| dot5_stats_line_errors | Count of tokens or frames with E bit set to zero and there is J or K bit between the SD and the ED or there is an FCS error | sflow.dot5StatsLineErrors | ||
| dot5_stats_lobe_wires | Number of times times the interface has detected an open or short circuit in the lobe data path | sflow.dot5StatsLobeWires | ||
| dot5_stats_lost_frame_errors | Count of errors resulting from TRR timer expiry | sflow.dot5StatsLostFrameErrors | ||
| dot5_stats_recoverys | Number of Claim Token MAC frames received or transmitted after the interface has received a Ring Purge MAC frame | sflow.dot5StatsRecoverys | ||
| dot5_stats_recv_congestion | Count of errors resulting from no available buffer space or congestion | sflow.dot5StatsReceiveCongestions | ||
| dot5_stats_removes | Number of times the interface has received a Remove Ring Station MAC frame request | sflow.dot5StatsRemoves | ||
| dot5_stats_signal_loss | Number of times this interface has detected the loss of signal condition from the ring | sflow.dot5StatsSignalLoss | ||
| dot5_stats_singles | Number of times the interface has sensed that it is the only station on the ring | sflow.dot5StatsSingles | ||
| dot5_stats_soft_errs | Count of Soft Errors the interface has detected | sflow.dot5StatsSoftErrors | ||
| dot5_stats_token_errs | Count of errors resulting from a condition that needs a token transmitted | sflow.dot5StatsTokenErrors | ||
| dot5_stats_transmit_beacons | Number of times this interface has transmitted a beacon frame | sflow.dot5StatsTransmitBeacons | ||
| ethernet_pkt_type | Ethernet packet type | sflow.ethernet-packet-type | ||
| event_name | Name of event | flow.event-name | ||
| exporter_ip | IP address of device that generated flow | netflow.exporterIPAddress | ||
| free_mem | Free memory(in bytes) | sflow.free-mem | ||
| gateway_communities | Gateway communities | sflow.gateway-communities | ||
| http_host | Host field for HTTP | http.host | ||
| http_url | URL associated with the flow | http.uri | ||
| input_snmpidx | SNMP index of input interface for this flow | netflow.input-snmpidx | ||
| interface_direction | Interface Direction | flow.interface-direction | ||
| interface_index | Network interface index | flow.interface-index | ||
| interface_input_broad_pkts | Interface broadcast packets | flow.interface-input-broad-pkts | ||
| interface_input_discard_pkts | Interface discarded packets | flow.interface-input-discard-pkts | ||
| interface_input_errors | Interface input errors | flow.interface-input-errors | ||
| interface_input_multi_pkts | Interface multicast packets | flow.interface-input-multi-pkts | ||
| interface_input_octets | Interface input octets | flow.interface-input-octets | ||
| interface_input_pkts | Interface input packets | flow.interface-input-pkts | ||
| interface_input_unk_proto_pkts | Interface input unknown protocol packets | flow.interface-input-unk-protos | ||
| interface_name | Name of network interface | flow.interface-name | ||
| interface_output_broad_pkts | Interface broadcast packets | flow.interface-output-broad-pkts | ||
| interface_output_discard_pkts | Interface discarded packets | flow.interface-output-discard-pkts | ||
| interface_output_errors | Interface output errors | flow.interface-output-errors | ||
| interface_output_multi_pkts | Interface multicast packets | flow.interface-output-multi-pkts | ||
| interface_output_octets | Interface output octets | flow.interface-output-octets | ||
| interface_output_pkts | Interface output packets | flow.interface-output-pkts | ||
| interface_promiscuous_mode | Interface promiscuous mode | flow.interface-promiscuous | ||
| interface_speed | Network interface speed | flow.interface-speed | ||
| interface_status | Interface status | flow.interface-status | ||
| interface_type | Network interface type | flow.interface-type | ||
| ip_len | Length of the IP packet | ip.packet-len | ||
| mpls_ftn_desc | MPLS FTN description | sflow.mpls-ftn-desc | ||
| mpls_ftn_mask | MPLS FTN mask | sflow.mpls-ftn-mask | ||
| mpls_in_label | Entries for MPLS label stack | sflow.in-mpls-label | ||
| mpls_out_label | Entries for MPLS label stack | sflow.out-mpls-label | ||
| name | desc | term | ||
| nat_dest_ip | Modified ip address value caused by NAT | netflow.postNATDestinationIPAddress | ||
| nat_src_ip | Modified ip address value caused by NAT | netflow.postNATSourceIPAddress | ||
| next_hop_address | IP address of the next hop router | netflow.nexthop-address | ||
| orig_frame_len | sFlow Original length of packet before sampling | sflow.frame-length | ||
| output_snmpidx | SNMP index of output interface for this flow | netflow.output-snmpidx | ||
| packets | Total number of packets in the flow | flow.packets | ||
| peer_as_num | Autonomous system (AS) number of source peer | sflow.peer-as-num | ||
| protoid | IP protocol type | ip.protoid | ||
| route_local_pref | Local Pref | sflow.route-localpref | ||
| router_as_num | Autonomous system (AS) number of the Router | sflow.router-as-num | ||
| seqnumber | sFlow sequence number | sflow.flow-sequence | ||
| sflow_dropped_pkts | Dropped packets | sflow.dropped-pkts | ||
| sflow_elements | Key Value pairs | sflow.elements | ||
| sflow_header_protocol | sFlow raw packet header protocol | sflow.header-protocol | ||
| sflow_input_itf_index | Interface packet was received on | sflow.input-interface-index | ||
| sflow_output_itf_index | Interface packet was sent on | sflow.output-interface-index | ||
| sflow_sample_pool | Number of packets sampled | sflow.sample-pool | ||
| sflow_sampling_rate | sFlow sampling rate | sflow.sampling-rate | ||
| sflow_version | sFlow Version | sflow.version | ||
| src_charset | Source character set | sflow.src-charset | ||
| src_ip | Source address of flow | flow.c-ip | ||
| src_mac | Client packets MAC address in hexadecimal format | flow.c-mac | ||
| src_port | Source port number of flow | flow.c-port | ||
| src_sysnum | System number of source for this flow | netflow.c-sysnum | ||
| src_user | Source User | sflow.src-user | ||
| src_vlan | VLAN identifier of incoming frame | netflow.src-vlan | ||
| src_vlan_priority | 802.ip priority of incoming frame | netflow.src-vlan_priority | ||
| stripped_octets | Number of octets removed | sflow.stripped-octets | ||
| stripped_vlan_tags | List of stripped 802.1Q TPID/TCI layers | sflow.vlan-tags | ||
| tcp_flags | Cumulative OR of TCP flags for this flow | netflow.tcp-flags | ||
| time_taken | Duration of flow | flow.time-taken | ||
| tos | Type of Service | ip.tos | ||
| total_mem | Total memory(in bytes) | sflow.total-mem | ||
| tunnel_cos | Tunnel COS value | sflow.tunnel-cos | ||
| tunnel_id | Tunnel Identifier | sflow.tunnel-id | ||
| tunnel_name | Tunnel name | sflow.tunnel-name | ||
| type | ICMP message type | icmp.type | ||
| url_direction | Direction associated with the URL 0 - source / 1 - destination | flow.direction | ||
| vc_inst_id | VC instance identifier | sflow.vc-id | ||
| vc_inst_name | VC instance name | sflow.vc-instance-name | ||
| vc_label_cos | VC label COS value | sflow.vc-label-cos | ||
| vlan_broad_cast_pkts | Count of broadcast packets | sflow.vlan-broadcast-packets | ||
| vlan_discards | Count of discards | sflow.vlanDiscards | ||
| vlan_id | Vlan Id | flow.vlan-id | ||
| vlan_multi_cast_pkts | Count of multi-cast packets | sflow.vlan-multicast-packets | ||
| vlan_octets | Count of octets | sflow.vlanOctets | ||
| vlan_ucast_pkts | Count of uni-cast packets | sflow.vlan-ucast-packets |
Last modified on 11 November, 2017
| File Service |
This documentation applies to the following versions of Splunk Stream™: 7.1.0, 7.1.1
Download manual
Feedback submitted, thanks!