File Service
Splunk App for Stream supports capture of these File Service protocols on Linux, Mac, and Windows. For more information see Configure Streams in the Splunk App for Stream User Manual.
NFS
Network File System RFC 7530
Name | Description | Term |
---|---|---|
src_ip | Client IP Address | flow.c-ip |
dest_ip | Server IP Address | flow.s-ip |
src_port | Client port number | flow.c-port |
dest_port | Server port number | flow.s-port |
src_mac | Client packets MAC address in hexadecimal format | flow.c-mac |
dest_mac | Server packets MAC address in hexadecimal format | flow.s-mac |
packets_in | The total number of packets sent from client to server | flow.cs-packets |
packets_out | The total number of packets sent from server to client | flow.sc-packets |
bytes_in | The number of bytes sent from client to server | flow.cs-bytes |
bytes_out | The number of bytes sent from server to client | flow.sc-bytes |
bytes | The total number of bytes transferred | flow.bytes |
time_taken | Number of microseconds, from the end user perspective, that it took to complete a flow event | flow.time-taken |
protocol | Level 7 protocol name (http, ftp, etc.) | flow.protocol |
transport | Transport layer protocol (udp or tcp) | flow.transport |
content | File content | nfs.content |
file-handle | Unique identifier for a file | nfs.file-handle |
filename | Accessed, written, or read file name | nfs.filename |
filesize | Size of the file | nfs.filesize |
gid | Identifier of the file owner's group | nfs.gid |
mode | Protection mode bits | nfs.mode |
offset | Offset of the written/read file | nfs.offset |
command | Procedure or command set | nfs.command |
status | Response status for a request | nfs.status |
type | File type | nfs.type |
uid | Generic user Id | nfs.uid |
version | Used version | nfs.version |
SMB
Server Message Block
Name | Description | Term |
---|---|---|
src_ip | Client IP Address | flow.c-ip |
dest_ip | Server IP Address | flow.s-ip |
src_port | Client port number | flow.c-port |
dest_port | Server port number | flow.s-port |
src_mac | Client packets MAC address in hexadecimal format | flow.c-mac |
dest_mac | Server packets MAC address in hexadecimal format | flow.s-mac |
packets_in | The total number of packets sent from client to server | flow.cs-packets |
packets_out | The total number of packets sent from server to client | flow.sc-packets |
ack_packets_in | The number of acknowledgement packets sent from client to server | flow.cs-ack-packets |
ack_packets_out | The number of acknowledgement packets sent from server to client | flow.sc-ack-packets |
missing_packets_in | The number of missing packet gaps detected within the request | flow.cs-missing-packets |
missing_packets_out | The number of missing packet gaps detected within the response | flow.sc-missing-packets |
duplicate_packets_in | The number of duplicate packets sent from client to server | flow.cs-duplicate-packets |
duplicate_packets_out | The number of duplicate packets sent from server to client | flow.sc-duplicate-packets |
data_packets_in | The number of data packets sent from client to server | flow.cs-data-packets |
data_packets_out | The number of data packets sent from server to client | flow.sc-data-packets |
bytes_in | The number of bytes sent from client to server | flow.cs-bytes |
bytes_out | The number of bytes sent from server to client | flow.sc-bytes |
bytes | The total number of bytes transferred | flow.bytes |
time_taken | Number of microseconds, from the end user perspective, that it took to complete a flow event | flow.time-taken |
request_time | Number of microseconds that it took the client to send a request | flow.cs-send-time |
request_ack_time | Number of microseconds that it took the server to acknowledge receipt of the request | flow.cs-ack-time |
reply_time | Number of microseconds that it took the server to start replying to a request | flow.sc-reply-time |
response_time | Number of microseconds that it took the server to send a response | flow.sc-send-time |
response_ack_time | Number of microseconds that it took the client to acknowledge receipt of the response | flow.sc-ack-time |
ssl_time | Number of microseconds that it took to negotiate an SSL handshake | flow.ssl-time |
ssl_version | SSL protocol version used for encryption; undefined if not encrypted | flow.ssl-version |
data_center_time | Number of microseconds from the last request packet to the last response packet | flow.data-center-time |
client_rtt | Average round trip time in microseconds from the client to the point of capture | flow.cp-rtt |
server_rtt | Average round trip time in microseconds from the server to the point of capture | flow.ps-rtt |
client_rtt_sum | Sum of all round trip time measurements from the client to the point of capture | flow.cp-rtt-sum |
server_rtt_sum | Sum of all round trip time measurements from the server to the point of capture | flow.ps-rtt-sum |
client_rtt_packets | Number of round trip measurements from the client to the point of capture | flow.cp-rtt-packets |
server_rtt_packets | Number of round trip measurements from the server to the point of capture | flow.ps-rtt-packets |
refused | Number of requests that were refused by the server | flow.refused |
canceled | Number of HTTP responses that were canceled early by the client | flow.canceled |
connection | TCP session server endpoint (IP address and TCP port) | flow.connection |
tcp_status | TCP handshake status (0=OK, 1=RESET, 2=IGNORED) | flow.tcp-status |
protocol | Level 7 protocol name (http, ftp, etc.) | flow.protocol |
transport | Transport layer protocol (udp or tcp) | flow.transport |
login | User's login string | smb.login |
command | Command string | smb.command |
dialect | The version of the SMB Protocol | smb.dialect |
domain | Domain name | smb.domain |
filename | Name of the transferred file | smb.filename |
filesize | Size (byte) of the transferred file | smb.filesize |
native_os | Client's operating system | smb.native-os |
nt_status | NT error code | smb.nt-status |
path | The server/share name of the resource to which the client attempts to connect | smb.path |
search_attributes | An attribute mask used to specify the standard attributes a file must have in order to match the search | smb.search-attributes |
search_pattern | The file pattern to search for | smb.search-pattern |
service | The type of resource that the client intends to access | smb.service |
user_id | User identifier (SMB usmb_v1 only) | smb.user-id |
Flow Protocols | File Transfer |
This documentation applies to the following versions of Splunk Stream™: 7.3.0, 7.4.0, 8.0.0
Feedback submitted, thanks!