Splunk Stream

Installation and Configuration Manual

File Service

Splunk App for Stream supports capture of these File Service protocols on Linux, Mac, and Windows. For more information see Configure Streams in the Splunk App for Stream User Manual.

NFS

Network File System RFC 7530

Name Description Term
src_ip Client IP Address flow.c-ip
dest_ip Server IP Address flow.s-ip
src_port Client port number flow.c-port
dest_port Server port number flow.s-port
src_mac Client packets MAC address in hexadecimal format flow.c-mac
dest_mac Server packets MAC address in hexadecimal format flow.s-mac
packets_in The total number of packets sent from client to server flow.cs-packets
packets_out The total number of packets sent from server to client flow.sc-packets
bytes_in The number of bytes sent from client to server flow.cs-bytes
bytes_out The number of bytes sent from server to client flow.sc-bytes
bytes The total number of bytes transferred flow.bytes
time_taken Number of microseconds, from the end user perspective, that it took to complete a flow event flow.time-taken
protocol Level 7 protocol name (http, ftp, etc.) flow.protocol
transport Transport layer protocol (udp or tcp) flow.transport
content File content nfs.content
file-handle Unique identifier for a file nfs.file-handle
filename Accessed, written, or read file name nfs.filename
filesize Size of the file nfs.filesize
gid Identifier of the file owner's group nfs.gid
mode Protection mode bits nfs.mode
offset Offset of the written/read file nfs.offset
command Procedure or command set nfs.command
status Response status for a request nfs.status
type File type nfs.type
uid Generic user Id nfs.uid
version Used version nfs.version

SMB

Server Message Block

Name Description Term
src_ip Client IP Address flow.c-ip
dest_ip Server IP Address flow.s-ip
src_port Client port number flow.c-port
dest_port Server port number flow.s-port
src_mac Client packets MAC address in hexadecimal format flow.c-mac
dest_mac Server packets MAC address in hexadecimal format flow.s-mac
packets_in The total number of packets sent from client to server flow.cs-packets
packets_out The total number of packets sent from server to client flow.sc-packets
ack_packets_in The number of acknowledgement packets sent from client to server flow.cs-ack-packets
ack_packets_out The number of acknowledgement packets sent from server to client flow.sc-ack-packets
missing_packets_in The number of missing packet gaps detected within the request flow.cs-missing-packets
missing_packets_out The number of missing packet gaps detected within the response flow.sc-missing-packets
duplicate_packets_in The number of duplicate packets sent from client to server flow.cs-duplicate-packets
duplicate_packets_out The number of duplicate packets sent from server to client flow.sc-duplicate-packets
data_packets_in The number of data packets sent from client to server flow.cs-data-packets
data_packets_out The number of data packets sent from server to client flow.sc-data-packets
bytes_in The number of bytes sent from client to server flow.cs-bytes
bytes_out The number of bytes sent from server to client flow.sc-bytes
bytes The total number of bytes transferred flow.bytes
time_taken Number of microseconds, from the end user perspective, that it took to complete a flow event flow.time-taken
request_time Number of microseconds that it took the client to send a request flow.cs-send-time
request_ack_time Number of microseconds that it took the server to acknowledge receipt of the request flow.cs-ack-time
reply_time Number of microseconds that it took the server to start replying to a request flow.sc-reply-time
response_time Number of microseconds that it took the server to send a response flow.sc-send-time
response_ack_time Number of microseconds that it took the client to acknowledge receipt of the response flow.sc-ack-time
ssl_time Number of microseconds that it took to negotiate an SSL handshake flow.ssl-time
ssl_version SSL protocol version used for encryption; undefined if not encrypted flow.ssl-version
data_center_time Number of microseconds from the last request packet to the last response packet flow.data-center-time
client_rtt Average round trip time in microseconds from the client to the point of capture flow.cp-rtt
server_rtt Average round trip time in microseconds from the server to the point of capture flow.ps-rtt
client_rtt_sum Sum of all round trip time measurements from the client to the point of capture flow.cp-rtt-sum
server_rtt_sum Sum of all round trip time measurements from the server to the point of capture flow.ps-rtt-sum
client_rtt_packets Number of round trip measurements from the client to the point of capture flow.cp-rtt-packets
server_rtt_packets Number of round trip measurements from the server to the point of capture flow.ps-rtt-packets
refused Number of requests that were refused by the server flow.refused
canceled Number of HTTP responses that were canceled early by the client flow.canceled
connection TCP session server endpoint (IP address and TCP port) flow.connection
tcp_status TCP handshake status (0=OK, 1=RESET, 2=IGNORED) flow.tcp-status
protocol Level 7 protocol name (http, ftp, etc.) flow.protocol
transport Transport layer protocol (udp or tcp) flow.transport
login User's login string smb.login
command Command string smb.command
dialect The version of the SMB Protocol smb.dialect
domain Domain name smb.domain
filename Name of the transferred file smb.filename
filesize Size (byte) of the transferred file smb.filesize
native_os Client's operating system smb.native-os
nt_status NT error code smb.nt-status
path The server/share name of the resource to which the client attempts to connect smb.path
search_attributes An attribute mask used to specify the standard attributes a file must have in order to match the search smb.search-attributes
search_pattern The file pattern to search for smb.search-pattern
service The type of resource that the client intends to access smb.service
user_id User identifier (SMB usmb_v1 only) smb.user-id
Last modified on 03 March, 2022
Flow Protocols   File Transfer

This documentation applies to the following versions of Splunk Stream: 8.0.1, 8.0.2, 8.1.0, 8.1.1, 8.1.3


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters