Splunk Stream

User Manual

This documentation does not apply to the most recent version of Splunk Stream. For documentation on the most recent version, go to the latest release.

Stream field details

This topic provides information about the specific protocol fields captured by Splunk Stream.

Latency information

Field Description
time_taken The event duration in microseconds, i.e. time difference between timestamps of the last and first packets that comprise an event plus client_rtt time (if applicable for that protocol). For example, for HTTP request/response event (sourcetype=stream:http) a first packet is the first request packet and the last packet is either the last response packet or the client ack packet acknowledging the last response packet, if captured. For a “flow” event (tcp or udp) the first and last packets are the first and last packets in the entire flow, respectively.
The following metrics are only calculated for tcp-based protocol events:
Field Description
client_rtt The average round trip time in microseconds from the client to the point of capture — calculated based on a complex algorithm involving correlating data packet timestamps with corresponding acknowledgment packet timestamps.
server_rtt The average round trip time in microseconds from the server to the point of capture — calculated based on a complex algorithm involving correlating data packet timestamps with corresponding acknowledgment packet timestamps.
The following metrics are only calculated for request/response protocols such as HTTP/FTP/SMTP etc.
Field Description
request_time The number of microseconds that it took the client to send the request, i.e. time difference between last and first request data packets (0 if request fits in a single packet).
response_time Similar to request time, but for the server response data.
reply_time The number of microseconds between the last request packet and the first response packet.
request_ack_time The time difference between the last request packet and the ACK packet from the server acknowledging the last request packet.
response_ack_time Similar to request_ack_time, but timing the acknowledgment of the last response packet.
Last modified on 08 March, 2017
Configure streams to capture network data   Stream aggregation methods

This documentation applies to the following versions of Splunk Stream: 7.1.0, 7.1.1

Acrobat logo Download manual
Acrobat logo Download this page

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters