Splunk Stream

Installation and Configuration Manual

This documentation does not apply to the most recent version of Splunk Stream. For documentation on the most recent version, go to the latest release.

Infrastructure

Splunk App for Stream supports capture of these Infrastructure protocols on Linux, Mac, and Windows. For more information see Configure Streams in the Splunk App for Stream User Manual.

DHCP

Dynamic Host Configuration Protocol RFC 2132

Name Description Term
src_ip Client IP Address flow.c-ip
dest_ip Server IP Address flow.s-ip
src_port Client port number flow.c-port
dest_port Server port number flow.s-port
src_mac Client packets MAC address in hexadecimal format flow.c-mac
dest_mac Server packets MAC address in hexadecimal format flow.s-mac
packets_in The total number of packets sent from client to server flow.cs-packets
packets_out The total number of packets sent from server to client flow.sc-packets
bytes_in The number of bytes sent from client to server flow.cs-bytes
bytes_out The number of bytes sent from server to client flow.sc-bytes
bytes The total number of bytes transferred flow.bytes
time_taken Number of microseconds, from the end user perspective, that it took to complete a flow event flow.time-taken
protocol Level 7 protocol name (http, ftp, etc.) flow.protocol
transport Transport level protocol flow.transport
opcode Type of DHCP message dhcp.message-type
file Name of boot file used during initialization dhcp.filename
chaddr Client Hardware address dhcp.client-mac
ciaddr Client IP address dhcp.current-client-ip
dns_server DNS server IP dhcp.dns-ip
giaddr Relay agent IP address dhcp.relay-ip
ip_lease_time Specifies lease time DHCP server is willing to offer dhcp.lease-time
siaddr IP address of the next server (used when booting via a server) dhcp.server-ip
sname Host name of next server dhcp.server-name
yiaddr New IP address attributed to the client dhcp.new-client-ip
subnetmask Subnet mask assigned to the client dhcp.new-client-subnet
router IP address of the gateway dhcp.gateway-ip

DNS

Domain Name System RFC 1034

Name Description Term
src_ip Client IP Address flow.c-ip
dest_ip Server IP Address flow.s-ip
src_port Client port number flow.c-port
dest_port Server port number flow.s-port
src_mac Client packets MAC address in hexadecimal format flow.c-mac
dest_mac Server packets MAC address in hexadecimal format flow.s-mac
packets_in The total number of packets sent from client to server flow.cs-packets
packets_out The total number of packets sent from server to client flow.sc-packets
bytes_in The number of bytes sent from client to server flow.cs-bytes
bytes_out The number of bytes sent from server to client flow.sc-bytes
bytes The total number of bytes transferred flow.bytes
time_taken Number of microseconds, from the end user perspective, that it took to complete a flow event flow.time-taken
protocol Level 7 protocol name (http, ftp, etc.) flow.protocol
transport Transport layer protocol (udp or tcp) flow.transport
ancount The number of resource records in the answer section dns.ancount
arcount Number of additional answers dns.arcount
hostname Host name dns.host
host_addr Host IP address dns.host-addr
host_type DNS host type dns.host-type
message_type DNS Message Type dns.message-type
name Name of the request dns.name
nscount Number of answers in the 'authority' section dns.nscount
qdcount Number of queries dns.qdcount
query DNS Query sent dns.query
query_type DNS Query type dns.query-type
reply_code Return message dns.reply-code
response_time Elapsed time, in microseconds, between sending the DNS request and response reception dns.response-time
reverse_addr IP address returned to the PTR request dns.reverse-addr
transaction_id DNS transaction identifier dns.transaction-id
ttl Time, in seconds, that a DNS information returned by the server will be kept in cache dns.ttl

ICMP

Internet Control Message Protocol RFC 792

Name Description Term
bytes The total number of bytes transferred flow.bytes
src_ip IP address of the client in dot-quad notation flow.c-ip
src_mac Client packets MAC address in hexadecimal format flow.c-mac
bytes_in The number of bytes sent from client to server flow.cs-bytes
network_interface Name of network interface flow.interface-name
capture_hostname Hostname where Flow was captured flow.hostname
dest_ip IP address of the server in dot-quad notation flow.s-ip
dest_mac Server packets MAC address in hexadecimal format flow.s-mac
bytes_out The number of bytes sent from server to client flow.sc-bytes
time_taken Number of microseconds, from the end user perspective, that it took to complete a flow event flow.time-taken
id ICMP message ID icmp.id
code ICMP message code icmp.code
code_string ICMP message code string icmp.code-string
type ICMP message type icmp.type
type_string ICMP message type string icmp.type-string
checksum ICMP message checksum icmp.checksum
sequence ICMP message sequence icmp.sequence
data ICMP message data icmp.data

SNMP

Simple Network Management Protocol RFC 3413

Name Description Term
bytes The total number of bytes transferred flow.bytes
c_ip IP address of the client in dot-quad notation flow.c-ip
src_mac Client packets MAC address in hexadecimal format flow.c-mac
src_port Client port number flow.c-port
bytes_in The number of bytes sent from client to server flow.cs-bytes
data_packets_in The number of data packets sent from client to server flow.cs-data-packets
packets_in The total number of packets sent from client to server flow.cs-packets
dest_ip IP address of the server in dot-quad notation flow.s-ip
dest_mac Server packets MAC address in hexadecimal format flow.s-mac
dest_port Server port number flow.s-port
bytes_out The number of bytes sent from server to client flow.sc-bytes
data_packets_out The number of data packets sent from server to client flow.sc-data-packets
packets_out The total number of packets sent from server to client flow.sc-packets
time_taken Number of microseconds it took to complete a flow event, from the end user's perspective flow.time-taken
transport Transport layer protocol (udp or tcp) flow.transport
community Community name snmp.community
method SNMP request type snmp.method
name Name of the user snmp.name
request_id Request Identifier snmp.request-id
varbind_list JSON array of {"oid":varbind_oid, "value":varbind_value, "type": varbind_value_type} snmp.varbind_list
version SNMP Version snmp.version
Last modified on 03 March, 2022
File Transfer   Messaging

This documentation applies to the following versions of Splunk Stream: 7.3.0, 7.4.0, 8.0.0


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters