Splunk Stream

Installation and Configuration Manual

This documentation does not apply to the most recent version of Splunk Stream. For documentation on the most recent version, go to the latest release.

Simple Transport

Splunk App for Stream supports capture of these Simple Transport protocols on Linux, Mac, and Windows. For more information see Configure Streams in the Splunk App for Stream User Manual.

ARP

Address Resolution Protocol RFC826

Name Description Term
src_ip Source IP Address flow.c-ip
src_mac Source MAC address in hexadecimal flow.c-mac
network_interface Name of network interface flow.interface-name
capture_hostname Hostname where flow was captured flow.hostname
vlan_id VLAN ID from 802.1Q header flow.vlan-id
dest_ip Destination IP Address flow.s-ip
dest_mac Destination MAC address in hexadecimal format flow.s-mac
bytes_in The number of bytes sent from client to server flow.cs-bytes
packets_in The total number of packets sent from client to server flow.cs-packets
flow_id Flow Id flow.flow-id
protocol_stack Protocol stack of flow flow.protocol-stack
opcode Operation code, Request = 1, Response = 2 arp.opcode
protocol_type Protocol number in the ARP message arp.protocol-type
protocol_size Size in bytes of the logical address requested arp.protocol-size
hardware_type Hardware type for which the request is sent arp.hardware-type
hardware_size Hardware (Mac) address length arp.hardware-size
arp_src_mac ARP sender MAC address in hexadecimal format in ARP packet header arp.src-mac
arp_dest_mac ARP destination MAC address in hexadecimal format in ARP packet header arp.dest-mac

IP

Internet Protocol RFC 791

Name Description Term
bytes The total number of bytes transferred flow.bytes
src_ip Client IP Address flow.c-ip
src_mac Client packets MAC address in hexadecimal format flow.c-mac
bytes_in The number of bytes sent from client to server flow.cs-bytes
src_content All raw payload content sent from client to server flow.cs-content
packets_in The total number of packets sent from client to server flow.cs-packets
network_interface Name of network interface flow.interface-name
capture_hostname Hostname where flow was captured flow.hostname
protoid Upper layer protocol ip.protoid
app Layer 4 protocol name flow.protocol
dest_ip Server IP Address flow.s-ip
dest_mac Server packets MAC address in hexadecimal format flow.s-mac
bytes_out The number of bytes sent from server to client flow.sc-bytes
dest_content All raw payload content sent from server to client flow.sc-content
packets_out The total number of packets sent from server to client flow.sc-packets
version IP version ip.version
tos Type of Service ip.tos

TCP

Transmission Control Protocol RFC 793

Name Description Term
src_ip Client IP Address flow.c-ip
dest_ip Server IP Address flow.s-ip
src_port Client port number flow.c-port
dest_port Server port number flow.s-port
src_mac Client packets MAC address in hexadecimal format flow.c-mac
dest_mac Server packets MAC address in hexadecimal format flow.s-mac
packets_in The total number of packets sent from client to server flow.cs-packets
packets_out The total number of packets sent from server to client flow.sc-packets
ack_packets_in The number of acknowledgement packets sent from client to server flow.cs-ack-packets
ack_packets_out The number of acknowledgement packets sent from server to client flow.sc-ack-packets
missing_packets_in The number of missing packet gaps detected within the request flow.cs-missing-packets
missing_packets_out The number of missing packet gaps detected within the response flow.sc-missing-packets
duplicate_packets_in The number of duplicate packets sent from client to server flow.cs-duplicate-packets
duplicate_packets_out The number of duplicate packets sent from server to client flow.sc-duplicate-packets
data_packets_in The number of data packets sent from client to server flow.cs-data-packets
data_packets_out The number of data packets sent from server to client flow.sc-data-packets
bytes_in The number of bytes sent from client to server flow.cs-bytes
bytes_out The number of bytes sent from server to client flow.sc-bytes
bytes The total number of bytes transferred flow.bytes
time_taken Number of microseconds that it took to complete a flow event, from the end user's perspective flow.time-taken
request_time Number of microseconds that it took the client to send a request flow.cs-send-time
request_ack_time Number of microseconds that it took the server to acknowledge receipt of the request flow.cs-ack-time
reply_time Number of microseconds that it took the server to start replying to a request flow.sc-reply-time
response_time Number of microseconds that it took the server to send a response flow.sc-send-time
response_ack_time Number of microseconds that it took the client to acknowledge receipt of the response flow.sc-ack-time
ssl_time Number of microseconds that it took to negotiate an SSL handshake flow.ssl-time
ssl_version SSL protocol version used for encryption, or undefined if not encrypted flow.ssl-version
ssl_session_id SSL session id flow.ssl-session-id
ssl_cert_md5 md5 of SSL certificate flow.ssl-cert-md5
ssl_commonname Common name with domain name of subject in SSL certificate flow.ssl-cert-subject-commonname
ssl_orgname Organization name of subject in SSL certificate flow.ssl-cert-subject-orgname
ssl_issuer Organization name of issuer in SSL certificate flow.ssl-cert-issuer-orgname
ssl_serialnumber Serial number of SSL certificate flow.ssl-cert-serialnumber
ssl_validity_end SSL certifiate's validity end date flow.ssl-cert-validity-not-after
ssl_validity_start SSL certifiate's validity start date flow.ssl-cert-validity-not-before
data_center_time Number of microseconds from the last request packet to the last response packet flow.data-center-time
client_rtt Average round trip time in microseconds from the client to the point of capture flow.cp-rtt
server_rtt Average round trip time in microseconds from the server to the point of capture flow.ps-rtt
client_rtt_sum Sum of all round trip time measurements from the client to the point of capture flow.cp-rtt-sum
server_rtt_sum Sum of all round trip time measurements from the server to the point of capture flow.ps-rtt-sum
client_rtt_packets Number of round trip measurements from the client to the point of capture flow.cp-rtt-packets
server_rtt_packets Number of round trip measurements from the server to the point of capture flow.ps-rtt-packets
refused Number of requests that were refused by the server flow.refused
canceled Number of HTTP responses that were canceled early by the client flow.canceled
connection TCP session server endpoint (IP address and TCP port) flow.connection
tcp_status TCP handshake status (0=OK, 1=RESET, 2=IGNORED) flow.tcp-status
protocol Level 7 protocol name (http, ftp, etc.) flow.protocol
transport Transport layer protocol (udp or tcp) flow.transport

UDP

User Datagram Protocol RFC 768

Name Description Term
src_ip Client IP Address flow.c-ip
dest_ip Server IP Address flow.s-ip
src_port Client port number flow.c-port
dest_port Server port number flow.s-port
src_mac Client packets MAC address in hexadecimal format flow.c-mac
dest_mac Server packets MAC address in hexadecimal format flow.s-mac
packets_in The total number of packets sent from client to server flow.cs-packets
packets_out The total number of packets sent from server to client flow.sc-packets
bytes_in The number of bytes sent from client to server flow.cs-bytes
bytes_out The number of bytes sent from server to client flow.sc-bytes
bytes The total number of bytes transferred flow.bytes
time_taken Number of microseconds that it took to complete a flow event, from the end user's perspective flow.time-taken
protocol Level 7 protocol name (http, ftp, etc.) flow.protocol
transport Transport layer protocol (udp or tcp) flow.transport
Last modified on 08 March, 2017
Messaging   Streaming Media

This documentation applies to the following versions of Splunk Stream: 7.1.0, 7.1.1


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters