Splunk Stream

User Manual

Stream field details

This topic provides information about the protocol fields captured by Splunk Stream.

Latency information

Field Description
time_taken The event duration in microseconds, i.e. time difference between timestamps of the last and first packets that comprise an event plus client_rtt time (if applicable for that protocol). For example, for HTTP request/response event (sourcetype=stream:http) a first packet is the first request packet and the last packet is either the last response packet or the client ack packet acknowledging the last response packet, if captured. For a "flow" event (tcp or udp) the first and last packets are the first and last packets in the entire flow, respectively.

The following metrics are calculated for tcp-based protocol events:

Field Description
client_rtt The average round trip time, in microseconds, from the client to the point of capture. This is calculated based on an algorithm that correlates data packet timestamps with corresponding acknowledgment packet timestamps.
server_rtt The average round trip time, in microseconds, from the server to the point of capture. This is calculated based on a algorithm that correlates data packet timestamps with corresponding acknowledgment packet timestamps.

The following metrics are calculated for request/response protocols such as HTTP, FTP, or SMTP.

}
Field Description
request_time The number of microseconds that it took the client to send the request, that is, the time difference between last and first request data packets. The value is 0 if the request fits in a single packet.
response_time Similar to request time, but for the server response data.
reply_time The number of microseconds between the last request packet and the first response packet.
request_ack_time The time difference between the last request packet and the ACK packet from the server acknowledging the last request packet.
response_ack_time Similar to request_ack_time, but timing the acknowledgment of the last response packet.
Last modified on 03 March, 2022
Configure streams to use content extraction   Stream aggregation methods

This documentation applies to the following versions of Splunk Stream: 8.0.1, 8.0.2, 8.1.0, 8.1.1, 8.1.3


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters