Splunk Stream

Installation and Configuration Manual

This documentation does not apply to the most recent version of Splunk Stream. For documentation on the most recent version, go to the latest release.

File Transfer

Splunk App for Stream supports capture of these File Transfer protocols on Linux, Mac, and Windows. For more information see Configure Streams in the Splunk App for Stream User Manual.

FTP

File Transfer Protocol RFC 959

Name Description Term
src_ip Client IP Address flow.c-ip
dest_ip Server IP Address flow.s-ip
src_port Client port number flow.c-port
dest_port Server port number flow.s-port
src_mac Client packets MAC address in hexadecimal format flow.c-mac
dest_mac Server packets MAC address in hexadecimal format flow.s-mac
packets_in The total number of packets sent from client to server flow.cs-packets
packets_out The total number of packets sent from server to client flow.sc-packets
ack_packets_in The number of acknowledgement packets sent from client to server flow.cs-ack-packets
ack_packets_out The number of acknowledgement packets sent from server to client flow.sc-ack-packets
missing_packets_in The number of missing packet gaps detected within the request flow.cs-missing-packets
missing_packets_out The number of missing packet gaps detected within the response flow.sc-missing-packets
duplicate_packets_in The number of duplicate packets sent from client to server flow.cs-duplicate-packets
duplicate_packets_out The number of duplicate packets sent from server to client flow.sc-duplicate-packets
data_packets_in The number of data packets sent from client to server flow.cs-data-packets
data_packets_out The number of data packets sent from server to client flow.sc-data-packets
bytes_in The number of bytes sent from client to server flow.cs-bytes
bytes_out The number of bytes sent from server to client flow.sc-bytes
bytes The total number of bytes transferred flow.bytes
time_taken Number of microseconds, from the end user perspective, that it took to complete a flow event flow.time-taken
request_time Number of microseconds it took the client to send a request flow.cs-send-time
request_ack_time Number of microseconds it took the server to acknowledge receipt of the request flow.cs-ack-time
reply_time Number of microseconds it took the server to start replying to a request flow.sc-reply-time
response_time Number of microseconds it took the server to send a response flow.sc-send-time
response_ack_time Number of microseconds it took the client to acknowledge receipt of the response flow.sc-ack-time
ssl_time Number of microseconds it took to negotiate an SSL handshake flow.ssl-time
ssl_version SSL protocol version used for encryption; undefined if not encrypted flow.ssl-version
data_center_time Number of microseconds from the last request packet to the last response packet flow.data-center-time
client_rtt Average round trip time in microseconds from the client to the point of capture flow.cp-rtt
server_rtt Average round trip time in microseconds from the server to the point of capture flow.ps-rtt
client_rtt_sum Sum of all round trip time measurements from the client to the point of capture flow.cp-rtt-sum
server_rtt_sum Sum of all round trip time measurements from the server to the point of capture flow.ps-rtt-sum
client_rtt_packets Number of round trip measurements from the client to the point of capture flow.cp-rtt-packets
server_rtt_packets Number of round trip measurements from the server to the point of capture flow.ps-rtt-packets
refused Number of requests that were refused by the server flow.refused
canceled Number of HTTP responses that were canceled early by the client flow.canceled
connection TCP session server endpoint (IP address and TCP port) flow.connection
tcp_status TCP handshake status (0=OK, 1=RESET, 2=IGNORED) flow.tcp-status
protocol Level 7 protocol name (http, ftp, etc.) flow.protocol
transport Transport layer protocol (udp or tcp) flow.transport
login User's login string ftp.login
loadway The file transfer way (Upload vs Download) ftp.loadway
method Contains the FTP command sent ftp.method
filename Name of the transferred file ftp.filename
filesize Size (byte) of the transferred file ftp.filesize
data_port Data connection TCP port ftp.data-port
content_type The content type of transferred file ftp.content-type
greeting First line of the server banner ftp.greeting-message
offset Start offset of the file transfer ftp.offset
password User's password string ftp.password
reply_code FTP server reply code ftp.reply-code
reply_content FTP server response message content ftp.reply-content
inherent_parent Parent inheritance key, stored in an hashtable and kept until parent session expiration. ftp.inherent-parent
transfer_duration Transfer duration ftp.transfer-duration
ftp_index Identifier of the request and response in a FTP flow. ftp.index

HTTP

Hypertext Transfer Protocol RFC 7230

Name Description Term
bytes Total number of bytes transferred flow.bytes
bytes_in Number of bytes sent from client to server flow.cs-bytes
bytes_out Number of bytes sent from server to client flow.sc-bytes
cookie Cookie HTTP request header http.cookie
dest_ip IP address of server in dot-quad notation flow.s-ip
dest_mac Server packets MAC address in hexadecimal format flow.s-mac
dest_port Server port number flow.s-port
form_data A url-encoded string represent flow.s-ip
http_comment The HTTP status message returned to the client http.comment
http_content_length HTTP response content length http.content-length
http_content_type The Content-Type HTTP response header http.content-type
http_method The HTTP method of the request (GET, POST, etc.) http.method
http_referrer The Referer HTTP request header http.referer
http_user_agent The User-Agent HTTP request header http.useragent
server The Server HTTP response header http.server
site The Host HTTP request header http.host
src_ip IP address of the client in dot-quad notation. Contains the value of X-Forwarded-For header or equal to flow.c-ip is X-Forwarded-For is not set. http.c-ip
src_mac Client packets MAC address in hexadecimal format flow.c-mac
src_port Client port number flow.c-port
ssl_version SSL protocol version used for encryption; undefined if not encrypted flow.ssl-version
status The HTTP status code returned to the client http.status
time_taken Number of microseconds, from the end user perspective, that it took to complete a flow event flow.time-taken
title Page title, extracted from HTML content http.page-title
transport Transport layer protocol (udp or tcp) flow.transport
uri_parm The parameters portion of the requested resource http.uri-parm
uri_path The requested resource (excluding query) http.uri-stem
uri_query The query portion of the requested resource http.uri-query
accept The Accept HTTP request header http.accept
ack_packets_in The number of acknowledgement packets sent from client to server flow.cs-ack-packets
ack_packets_out The number of acknowledgement packets sent from server to client flow.sc-ack-packets
allow The Allow HTTP response header http.allow
c_ip IP address of the client in dot-quad notation flow.c-ip
cached 1 if the response was cached, 0 if it was not http.cached
canceled Number of HTTP responses that were canceled early by the client flow.canceled
client_rtt Average round trip time in microseconds from the client to the point of capture flow.cp-rtt
client_rtt_packets Number of round trip measurements from the client to the point of capture flow.cp-rtt-packets
client_rtt_sum Sum of all round trip time measurements from the client to the point of capture flow.cp-rtt-sum
connection TCP session server endpoint (IP address and TCP port) flow.connection
content_location The Content-Location HTTP response header http.content-location
cs_content_length HTTP request content length http.cs-content-length
cs_content_type The Content-Type HTTP request header http.cs-content-type
cs_version The protocol version that the client used http.cs-version
data_center_time Number of microseconds from the last request packet to the last response packet flow.data-center-time
data_packets_in The number of data packets sent from client to server flow.cs-data-packets
data_packets_out The number of data packets sent from server to client flow.sc-data-packets
dest_content All HTTP payload content sent from server to client http.sc-content
dest_headers All HTTP headers sent from server to client http.sc-headers
duplicate_packets_in The number of duplicate packets sent from client to server flow.cs-duplicate-packets
duplicate_packets_out The number of duplicate packets sent from server to client flow.sc-duplicate-packets
location The Location HTTP response header http.location
missing_packets_in The number of missing packet gaps detected within the request flow.cs-missing-packets
missing_packets_out The number of missing packet gaps detected within the response flow.sc-missing-packets
packets_in The total number of packets sent from client to server flow.cs-packets
packets_out The total number of packets sent from server to client flow.sc-packets
protocol Level 7 protocol name (http, ftp, etc.) flow.protocol
refused Number of requests that were refused by the server flow.refused
reply_time Number of microseconds that it took the server to start replying to a request flow.sc-reply-time
request The request line exactly as it came from the client http.request
request_ack_time Number of microseconds it took the server to acknowledge receipt of the request flow.cs-ack-time
request_time Number of microseconds it took the client to send a request flow.cs-send-time
response_ack_time Number of microseconds it took the client to acknowledge receipt of the response flow.sc-ack-time
response_time Number of microseconds it took the server to send a response flow.sc-send-time
server_rtt Average round trip time in microseconds from the server to the point of capture flow.ps-rtt
server_rtt_packets Number of round trip measurements from the server to the point of capture flow.ps-rtt-packets
server_rtt_sum Sum of all round trip time measurements from the server to the point of capture flow.ps-rtt-sum
set_cookie The Set-Cookie HTTP response header http.set-cookie
src_content All HTTP payload content sent from client to server http.cs-content
src_headers All HTTP headers sent from client to server http.cs-headers
ssl_time Number of microseconds it took to negotiate an SSL handshake flow.ssl-time
cp_status TCP handshake status (0=OK, 1=RESET, 2=IGNORED) flow.tcp-status
transfer_encoding The Transfer-Encoding HTTP response header http.transfer-encoding
uri The requested resource (including query) http.uri
user The username as which the user has authenticated himself http.authuser
Last modified on 03 March, 2022
File Service   Infrastructure

This documentation applies to the following versions of Splunk Stream: 7.3.0, 7.4.0, 8.0.0


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters