Stream field details
This topic provides information about the protocol fields captured by Splunk Stream.
Latency information
Field | Description |
---|---|
time_taken |
The event duration in microseconds, i.e. time difference between timestamps of the last and first packets that comprise an event plus client_rtt time (if applicable for that protocol). For example, for HTTP request/response event (sourcetype=stream:http) a first packet is the first request packet and the last packet is either the last response packet or the client ack packet acknowledging the last response packet, if captured. For a "flow" event (tcp or udp) the first and last packets are the first and last packets in the entire flow, respectively.
|
The following metrics are calculated for tcp-based protocol events:
Field | Description |
---|---|
client_rtt |
The average round trip time, in microseconds, from the client to the point of capture. This is calculated based on an algorithm that correlates data packet timestamps with corresponding acknowledgment packet timestamps. |
server_rtt |
The average round trip time, in microseconds, from the server to the point of capture. This is calculated based on a algorithm that correlates data packet timestamps with corresponding acknowledgment packet timestamps. |
The following metrics are calculated for request/response protocols such as HTTP, FTP, or SMTP.
}Field | Description |
---|---|
request_time |
The number of microseconds that it took the client to send the request, that is, the time difference between last and first request data packets. The value is 0 if the request fits in a single packet. |
response_time |
Similar to request time, but for the server response data. |
reply_time |
The number of microseconds between the last request packet and the first response packet. |
request_ack_time |
The time difference between the last request packet and the ACK packet from the server acknowledging the last request packet. |
response_ack_time |
Similar to request_ack_time , but timing the acknowledgment of the last response packet.
|
Configure streams to use content extraction | Stream aggregation methods |
This documentation applies to the following versions of Splunk Stream™: 7.3.0, 7.4.0, 8.0.0
Feedback submitted, thanks!