Splunk Stream

Installation and Configuration Manual

This documentation does not apply to the most recent version of Splunk Stream. For documentation on the most recent version, go to the latest release.

Email

Splunk App for Stream supports capture of these Email protocols on Linux, Mac, and Windows. For more information see Configure Streams in the Splunk App for Stream User Manual.

IMAP

INTERNET MESSAGE ACCESS PROTOCOL RFC 3501

Name Description Term
src_ip Client IP Address flow.c-ip
dest_ip Server IP Address flow.s-ip
src_port Client port number flow.c-port
dest_port Server port number flow.s-port
src_mac Client packets MAC address in hexadecimal format flow.c-mac
dest_mac Server packets MAC address in hexadecimal format flow.s-mac
packets_in The total number of packets sent from client to server flow.cs-packets
packets_out The total number of packets sent from server to client flow.sc-packets
ack_packets_in The number of acknowledgement packets sent from client to server flow.cs-ack-packets
ack_packets_out The number of acknowledgement packets sent from server to client flow.sc-ack-packets
missing_packets_in The number of missing packet gaps detected within the request flow.cs-missing-packets
missing_packets_out The number of missing packet gaps detected within the response flow.sc-missing-packets
duplicate_packets_in The number of duplicate packets sent from client to server flow.cs-duplicate-packets
duplicate_packets_out The number of duplicate packets sent from server to client flow.sc-duplicate-packets
data_packets_in The number of data packets sent from client to server flow.cs-data-packets
data_packets_out The number of data packets sent from server to client flow.sc-data-packets
bytes_in The number of bytes sent from client to server flow.cs-bytes
bytes_out The number of bytes sent from server to client flow.sc-bytes
bytes The total number of bytes transferred flow.bytes
time_taken Number of microseconds, from the end user perspective, that it took to complete a flow event flow.time-taken
request_time Number of microseconds that it took the client to send a request flow.cs-send-time
request_ack_time Number of microseconds that it took the server to acknowledge receipt of the request flow.cs-ack-time
reply_time Number of microseconds that it took the server to start replying to a request flow.sc-reply-time
response_time Number of microseconds that it took the server to send a response flow.sc-send-time
response_ack_time Number of microseconds that it took the client to acknowledge receipt of the response flow.sc-ack-time
ssl_time Number of microseconds that it took to negotiate an SSL handshake flow.ssl-time
ssl_version SSL protocol version used for encryption, or undefined if not encrypted flow.ssl-version
data_center_time Number of microseconds from the last request packet to the last response packet flow.data-center-time
client_rtt Average round trip time in microseconds from the client to the point of capture flow.cp-rtt
server_rtt Average round trip time in microseconds from the server to the point of capture flow.ps-rtt
client_rtt_sum Sum of all round trip time measurements from the client to the point of capture flow.cp-rtt-sum
server_rtt_sum Sum of all round trip time measurements from the server to the point of capture flow.ps-rtt-sum
client_rtt_packets Number of round trip measurements from the client to the point of capture flow.cp-rtt-packets
server_rtt_packets Number of round trip measurements from the server to the point of capture flow.ps-rtt-packets
refused Number of requests that were refused by the server flow.refused
canceled Number of HTTP responses that were canceled early by the client flow.canceled
connection TCP session server endpoint (IP address and TCP port) flow.connection
tcp_status TCP handshake status (0=OK, 1=RESET, 2=IGNORED) flow.tcp-status
protocol Level 7 protocol name (http, ftp, etc.) flow.protocol
transport Transport level protocol flow.transport
attach_content_decoded Decoded attached files content email.attach-content-decoded
attach_filename Attachment name email.attach-filename
attach_transfer_encoding Contains the encoding of the attached content email.attach-transfer-encoding
attach_type Content type of the sent attached file email.attach-type
content_transfer_encoding Transfer-encoding used on the e-mail message email.content-transfer-encoding
date Message date email.date
email_index Index of the request that the email is attached to email.email-index
greeting Contains the greeting message of the server email.greeting-message
login User's login string email.login
login_server Concatenated login and server: <login>@<server>, string email.login-server
method Command sent by the client email.method
mime_type Content-type of the e-mail message email.mime-type
msg_id Unique identifier for the e-mail message email.message-id
received_by_ip Contains the IP address of the receiving host name email.received-by-ip
received_by_name Contains the receiving host name email.received-by-name
received_date Date when the transport service relayed the message email.received-date
received_from_ip Contains the IP address of the sending host name email.received-from-ip
received_from_name Contains the sending host name email.received-from-name
received_server_agent Contains the name of the sever agent email.received-server-agent
received_with Contains the software used to send the email email.received-with
receiver Full address of email receiver (including cc and bcc receivers) email.receiver
receiver_alias Name of email receiver (included cc and bcc receivers) email.receiver-alias
receiver_email E-mail address of the message recipient email.receiver-email
receiver_type Type of the email receiver email.receiver-type
reply_to Email address to use in a reply for this message email.reply-to
sender Full address of email sender (alias followed by email address) email.sender
sender_alias Name of the email sender email.sender-alias
sender_email Email address of the email sender email.sender-email
server_response The return code of the server email.server-response
subject Subject of the e-mail message email.subject
useragent Name of the client software used email.user-agent

MAPI

Messaging Application Programming Interface

Name Description Term
action Indicates if the message is read (Read) or composed (Compose) email.action
attach_filename Attachment file name email.attach-filename
reply_to Attachment file size email.attach-size
contact_alias Contains the name of the sever agent email.contact-alias
contact_email Email address of the email receiver email.contact-email
content Content of the message email.content
importance Indicates if the email has been marked by the user email.importance
login User's login string email.login
login_server Concatenated login and server: <login>@<server>, string email.login-server
msglist_receiver Full address of email receiver in a message list email.msglist-receiver
receiver_email Contains the IP address of the sending host name email.msglist-receiver-email
msglist_sender Full address of email sender (alias and email address) (UTF-16) email.msglist-sender
msglist_size Message size in a message list email.msglist-size
msglist_subject Message subject in a message list (UTF-16) email.msglist-subject
receiver Full address of email receiver (including cc and bcc receivers) email.receiver
receiver_alias Name of email receiver (included cc and bcc receivers) email.receiver-alias
receiver_email E-mail address of the message recipient email.receiver-email
sender Full address of email sender (alias followed by email address) email.sender
sender_alias Name of the email sender email.sender-alias
sender_email Email address of the email sender email.sender-email
subject Subject of the e-mail message email.subject
bytes The total number of bytes transferred flow.bytes
src_ip Client IP Address flow.c-ip
src_mac Client packets MAC address in hexadecimal format flow.c-mac
src_port Client port number flow.c-port
canceled Number of HTTP responses that were canceled early by the client flow.canceled
connection TCP session server endpoint (IP address and TCP port) flow.connection
client_rtt Average round trip time in microseconds from the client to the point of capture flow.cp-rtt
client_rtt_packets Number of round trip measurements from the client to the point of capture flow.cp-rtt-packets
client_rtt_sum Sum of all round trip time measurements from the client to the point of capture flow.cp-rtt-sum
ack_packets_in The number of acknowledgement packets sent from client to server flow.cs-ack-packets
request_ack_time Number of microseconds that it took the server to acknowledge receipt of the request flow.cs-ack-time
bytes_in The number of bytes sent from client to server flow.cs-bytes
data_packets_in The number of data packets sent from client to server flow.cs-data-packets
duplicate_packets_in The number of duplicate packets sent from client to server flow.cs-duplicate-packets
missing_packets_in The number of missing packet gaps detected within the request flow.cs-missing-packets
packets_in The total number of packets sent from client to server flow.cs-packets
request_time Number of microseconds that it took the client to send a request flow.cs-send-time
server_rtt Average round trip time in microseconds from the server to the point of capture flow.ps-rtt
server_rtt_packets Number of round trip measurements from the server to the point of capture flow.ps-rtt-packets
server_rtt_sum Sum of all round trip time measurements from the server to the point of capture flow.ps-rtt-sum
refused Number of requests that were refused by the server flow.refused
dest_ip Server IP Address flow.s-ip
dest_mac Server packets MAC address in hexadecimal format flow.s-mac
dest_port Server port number flow.s-port
ack_packets_out The number of acknowledgement packets sent from server to client flow.sc-ack-packets
response_ack_time Number of microseconds that it took the client to acknowledge receipt of the response flow.sc-ack-time
bytes_out The number of bytes sent from server to client flow.sc-bytes
data_packets_out The number of data packets sent from server to client flow.sc-data-packets
duplicate_packets_out The number of duplicate packets sent from server to client flow.sc-duplicate-packets
missing_packets_out The number of missing packet gaps detected within the response flow.sc-missing-packets
packets_out The total number of packets sent from server to client flow.sc-packets
reply_time Number of microseconds that it took the server to start replying to a request flow.sc-reply-time
response_time Number of microseconds that it took the server to send a response flow.sc-send-time
ssl_time Number of microseconds that it took to negotiate an SSL handshake flow.ssl-time
ssl_version SSL protocol version used for encryption, or undefined if not encrypted flow.ssl-version
tcp_status TCP handshake status (0=OK, 1=RESET, 2=IGNORED) flow.tcp-status
time_taken Number of microseconds that it took to complete a flow event, from the end user's perspective flow.time-taken
transport Transport level protocol flow.transport
auth_type Authentication type used mapi.authtype
date Message date number of 100-nanosecond intervals since January 1, 1601 mapi.date
domain Network domain of the client mapi.domain
email_type email type mapi.email-type
host Clients host name mapi.host
received_with Sensibility of the message mapi.msg-sensibility
size Message size mapi.size

POP3

Post Office Protocol-Version 3 RFC 5034

Name Description Term
src_ip Client IP Address flow.c-ip
dest_ip Server IP Address flow.s-ip
src_port Client port number flow.c-port
dest_port Server port number flow.s-port
src_mac Client packets MAC address in hexadecimal format flow.c-mac
dest_mac Server packets MAC address in hexadecimal format flow.s-mac
packets_in The total number of packets sent from client to server flow.cs-packets
packets_out The total number of packets sent from server to client flow.sc-packets
ack_packets_in The number of acknowledgement packets sent from client to server flow.cs-ack-packets
ack_packets_out The number of acknowledgement packets sent from server to client flow.sc-ack-packets
missing_packets_in The number of missing packet gaps detected within the request flow.cs-missing-packets
missing_packets_out The number of missing packet gaps detected within the response flow.sc-missing-packets
duplicate_packets_in The number of duplicate packets sent from client to server flow.cs-duplicate-packets
duplicate_packets_out The number of duplicate packets sent from server to client flow.sc-duplicate-packets
data_packets_in The number of data packets sent from client to server flow.cs-data-packets
data_packets_out The number of data packets sent from server to client flow.sc-data-packets
bytes_in The number of bytes sent from client to server flow.cs-bytes
bytes_out The number of bytes sent from server to client flow.sc-bytes
bytes The total number of bytes transferred flow.bytes
time_taken Number of microseconds that it took to complete a flow event, from the end user's perspective flow.time-taken
request_time Number of microseconds that it took the client to send a request flow.cs-send-time
request_ack_time Number of microseconds that it took the server to acknowledge receipt of the request flow.cs-ack-time
reply_time Number of microseconds that it took the server to start replying to a request flow.sc-reply-time
response_time Number of microseconds that it took the server to send a response flow.sc-send-time
response_ack_time Number of microseconds that it took the client to acknowledge receipt of the response flow.sc-ack-time
ssl_time Number of microseconds that it took to negotiate an SSL handshake flow.ssl-time
ssl_version SSL protocol version used for encryption, or undefined if not encrypted flow.ssl-version
data_center_time Number of microseconds from the last request packet to the last response packet flow.data-center-time
client_rtt Average round trip time in microseconds from the client to the point of capture flow.cp-rtt
server_rtt Average round trip time in microseconds from the server to the point of capture flow.ps-rtt
client_rtt_sum Sum of all round trip time measurements from the client to the point of capture flow.cp-rtt-sum
server_rtt_sum Sum of all round trip time measurements from the server to the point of capture flow.ps-rtt-sum
client_rtt_packets Number of round trip measurements from the client to the point of capture flow.cp-rtt-packets
server_rtt_packets Number of round trip measurements from the server to the point of capture flow.ps-rtt-packets
refused Number of requests that were refused by the server flow.refused
canceled Number of HTTP responses that were canceled early by the client flow.canceled
connection TCP session server endpoint (IP address and TCP port) flow.connection
tcp_status TCP handshake status (0=OK, 1=RESET, 2=IGNORED) flow.tcp-status
protocol Level 7 protocol name (http, ftp, etc.) flow.protocol
transport Transport layer protocol (udp or tcp) flow.transport
attach_content_decoded Decoded attached files content email.attach-content-decoded
attach_disposition Attached file disposition, inline vs attachment email.attach-disposition
attach_filename Attachment name email.attach-filename
attach_transfer_encoding Contains the encoding of the attached content email.attach-transfer-encoding
attach_type Content type of the sent attached file email.attach-type
content_body Data containing body email.content-body
content_transfer_encoding Transfer-encoding used on the e-mail message email.content-transfer-encoding
date Message date email.date
email_index Index of the request which the email is attached to email.email-index
greeting Contains the greeting message of the server email.greeting-message
login User's login string email.login
login_servier Concatenated login and server: <login>@<server>, string email.login-server
method Command sent by the client email.method
mime_type Content-type of the e-mail message email.mime-type
msg_id Unique identifier for the e-mail message email.message-id
password User's password string email.password
received_by_ip Contains the IP address of the receiving host name email.received-by-ip
received_by_name Contains the receiving host name email.received-by-name
received_date Date when the transport service relayed the message email.received-date
received_from_ip Contains the IP address of the sending host name email.received-from-ip
received_from_name Contains the sending host name email.received-from-name
received_server_agent Contains the name of the sever agent email.received-server-agent
received_with Contains the software used to send the email email.received-with
receiver Full address of email receiver (including cc and bcc receivers) email.receiver
receiver_alias Name of email receiver (included cc and bcc receivers) email.receiver-alias
receiver_email E-mail address of the message recipient email.receiver-email
receiver_type Type of the email receiver email.receiver-type
reply_to Email address to use in a reply for this message email.reply-to
sender Full address of email sender (alias followed by email address) email.sender
sender_alias Name of the email sender email.sender-alias
sender_email Email address of the email sender email.sender-email
server_response The return code of the server email.server-response
subject Subject of the e-mail message email.subject
useragent Name of the client software used email.user-agent

SMTP

Simple Mail Transfer Protocol RFC 2821

Name Description Term
src_ip Client IP Address flow.c-ip
dest_ip Server IP Address flow.s-ip
src_port Client port number flow.c-port
dest_port Server port number flow.s-port
src_mac Client packets MAC address in hexadecimal format flow.c-mac
dest_mac Server packets MAC address in hexadecimal format flow.s-mac
packets_in The total number of packets sent from client to server flow.cs-packets
packets_out The total number of packets sent from server to client flow.sc-packets
ack_packets_in The number of acknowledgement packets sent from client to server flow.cs-ack-packets
ack_packets_out The number of acknowledgement packets sent from server to client flow.sc-ack-packets
missing_packets_in The number of missing packet gaps detected within the request flow.cs-missing-packets
missing_packets_out The number of missing packet gaps detected within the response flow.sc-missing-packets
duplicate_packets_in The number of duplicate packets sent from client to server flow.cs-duplicate-packets
duplicate_packets_out The number of duplicate packets sent from server to client flow.sc-duplicate-packets
data_packets_in The number of data packets sent from client to server flow.cs-data-packets
data_packets_out The number of data packets sent from server to client flow.sc-data-packets
bytes_in The number of bytes sent from client to server flow.cs-bytes
bytes_out The number of bytes sent from server to client flow.sc-bytes
bytes The total number of bytes transferred flow.bytes
time_taken Number of microseconds that it took to complete a flow event, from the end user's perspective flow.time-taken
request_time Number of microseconds that it took the client to send a request flow.cs-send-time
request_ack_time Number of microseconds that it took the server to acknowledge receipt of the request flow.cs-ack-time
reply_time Number of microseconds that it took the server to start replying to a request flow.sc-reply-time
response_time Number of microseconds that it took the server to send a response flow.sc-send-time
response_ack_time Number of microseconds that it took the client to acknowledge receipt of the response flow.sc-ack-time
ssl_time Number of microseconds that it took to negotiate an SSL handshake flow.ssl-time
ssl_version SSL protocol version used for encryption, or undefined if not encrypted flow.ssl-version
data_center_time Number of microseconds from the last request packet to the last response packet flow.data-center-time
client_rtt Average round trip time in microseconds from the client to the point of capture flow.cp-rtt
server_rtt Average round trip time in microseconds from the server to the point of capture flow.ps-rtt
client_rtt_sum Sum of all round trip time measurements from the client to the point of capture flow.cp-rtt-sum
server_rtt_sum Sum of all round trip time measurements from the server to the point of capture flow.ps-rtt-sum
client_rtt_packets Number of round trip measurements from the client to the point of capture flow.cp-rtt-packets
server_rtt_packets Number of round trip measurements from the server to the point of capture flow.ps-rtt-packets
refused Number of requests that were refused by the server flow.refused
canceled Number of HTTP responses that were canceled early by the client flow.canceled
connection TCP session server endpoint (IP address and TCP port) flow.connection
tcp_status TCP handshake status (0=OK, 1=RESET, 2=IGNORED) flow.tcp-status
protocol Level 7 protocol name (http, ftp, etc.) flow.protocol
transport Transport layer protocol (udp or tcp) flow.transport
attach_content_decoded Decoded attached files content email.attach-content-decoded
attach_disposition Attached file disposition, inline vs attachment email.attach-disposition
attach_filename Attachment name email.attach-filename
attach_size Attachment MIME size email.attach-size
attach_transfer_encoding Contains the encoding of the attached content email.attach-transfer-encoding
attach_type Content type of the sent attached file email.attach-type
content_body Data containing body email.content-body
content_transfer_encoding Transfer-encoding used on the e-mail message email.content-transfer-encoding
date Message date email.date
email_index Index of the request which the email is attached to email.email-index
greeting Contains the greeting message of the server email.greeting-message
login User's login string email.login
method Command sent by the client email.method
mime_type Content-type of the e-mail message email.mime-type
msg_id Unique identifier for the e-mail message email.message-id
password User's password string email.password
received_by_ip Contains the IP address of the receiving host name email.received-by-ip
received_by_name Contains the receiving host name email.received-by-name
received_date Date when the transport service relayed the message email.received-date
received_from_ip Contains the IP address of the sending host name email.received-from-ip
received_from_name Contains the sending host name email.received-from-name
received_server_agent Contains the name of the sever agent email.received-server-agent
received_with Contains the software used to send the email email.received-with
receiver Full address of email receiver (including cc and bcc receivers) email.receiver
receiver_alias Name of email receiver (included cc and bcc receivers) email.receiver-alias
receiver_email E-mail address of the message recipient email.receiver-email
receiver_type Type of the email receiver email.receiver-type
reply_to Email address to use in a reply for this message email.reply-to
sender Full address of email sender (alias followed by email address) email.sender
sender_alias Name of the email sender email.sender-alias
sender_email Email address of the email sender email.sender-email
server_response The return code of the server email.server-response
subject Subject of the e-mail message email.subject
useragent Name of the client software used email.user-agent
duration Duration of the SMTP session in seconds smtp.duration
receiver_rcpt_to Recipient's email address (used by RCPT TO method) smtp.receiver-rcpt-to
response_code Return code smtp.response-code
sender_mail_from Sender's email address (used by MAIL FROM method) smtp.sender-mail-from
sender_server Contains the name of the used smtp server smtp.sender-server
server_agent The software name used by the email server smtp.server-agent
start_time Starting time of SMTP session smtp.start-time
stop_time Ending time of SMTP session smtp.stop-time
Last modified on 03 March, 2022
Database   Flow Protocols

This documentation applies to the following versions of Splunk Stream: 7.3.0, 7.4.0, 8.0.0


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters