Simple Transport
Splunk App for Stream supports capture of these Simple Transport protocols on Linux, Mac, and Windows. For more information see Configure Streams in the Splunk App for Stream User Manual.
If you configure traffic with VLAN-ID, you must configure for both traffic directions. Otherwise you may experience a mismatch of VLANs in the TCP streams, which can cause queue overflow errors and traffic loss.
ARP
Address Resolution Protocol RFC826
Name | Description | Term |
---|---|---|
src_ip | Source IP Address | flow.c-ip |
src_mac | Source MAC address in hexadecimal format | flow.c-mac |
network_interface | Name of network interface | flow.interface-name |
capture_hostname | Hostname where Flow was captured | flow.hostname |
vlan_id | VLAN ID from 802.1Q. In a header with multiple vlan tags, vlan_id is the outermost tag | flow.vlan-id |
vlad_tags | All VLAN tags collected from 802.1Q and 802.1ad headers. | flow.vlan-tags |
dest_ip | Destination IP Address | flow.s-ip |
dest_mac | Destination MAC address in hexadecimal format | flow.s-mac |
bytes_in | The number of bytes sent from client to server | flow.cs-bytes |
packets_in | The total number of packets sent from client to server | flow.cs-packets |
flow_id | Flow ID | flow.flow-id |
protocol_stack | Protocol stack of Flow | flow.protocol-stack |
opcode | Operation code, Request = 1, Response = 2 | arp.opcode |
protocol_type | Protocol number in the ARP message | arp.protocol-type |
protocol_size | Size in bytes of the logical address requested | arp.protocol-size |
hardware_type | Hardware type for which the request is sent | arp.hardware-type |
hardware_size | Hardware (Mac) address length | arp.hardware-size |
arp_src_mac | ARP sender MAC address in hexadecimal format in ARP packet header | arp.src-mac |
arp_dest_mac | ARP destination MAC address, in hexadecimal format, in ARP packet header | arp.dest-mac |
IP
Internet Protocol RFC 791
Name | Description | Term |
---|---|---|
bytes | The total number of bytes transferred | flow.bytes |
src_ip | Client IP Address | flow.c-ip |
src_mac | Client packets MAC address in hexadecimal format | flow.c-mac |
bytes_in | The number of bytes sent from client to server | flow.cs-bytes |
src_content | All raw payload content sent from client to server | flow.cs-content |
packets_in | The total number of packets sent from client to server | flow.cs-packets |
network_interface | Name of network interface | flow.interface-name |
capture_hostname | Hostname where Flow was captured | flow.hostname |
protoid | Upper layer protocol | ip.protoid |
app | Layer 4 protocol name | flow.protocol |
dest_ip | Server IP Address | flow.s-ip |
dest_mac | Server packets MAC address in hexadecimal format | flow.s-mac |
bytes_out | The number of bytes sent from server to client | flow.sc-bytes |
dest_content | All raw payload content sent from server to client | flow.sc-content |
packets_out | The total number of packets sent from server to client | flow.sc-packets |
version | IP version | ip.version |
tos | Type of Service | ip.tos |
TCP
Transmission Control Protocol RFC 793
Name | Description | Term |
---|---|---|
src_ip | Client IP Address | flow.c-ip |
dest_ip | Server IP Address | flow.s-ip |
src_port | Client port number | flow.c-port |
dest_port | Server port number | flow.s-port |
src_mac | Client packets MAC address in hexadecimal format | flow.c-mac |
dest_mac | Server packets MAC address in hexadecimal format | flow.s-mac |
packets_in | The total number of packets sent from client to server | flow.cs-packets |
packets_out | The total number of packets sent from server to client | flow.sc-packets |
ack_packets_in | The number of acknowledgement packets sent from client to server | flow.cs-ack-packets |
ack_packets_out | The number of acknowledgement packets sent from server to client | flow.sc-ack-packets |
missing_packets_in | The number of missing packet gaps detected within the request | flow.cs-missing-packets |
missing_packets_out | The number of missing packet gaps detected within the response | flow.sc-missing-packets |
duplicate_packets_in | The number of duplicate packets sent from client to server | flow.cs-duplicate-packets |
duplicate_packets_out | The number of duplicate packets sent from server to client | flow.sc-duplicate-packets |
data_packets_in | The number of data packets sent from client to server | flow.cs-data-packets |
data_packets_out | The number of data packets sent from server to client | flow.sc-data-packets |
bytes_in | The number of bytes sent from client to server | flow.cs-bytes |
bytes_out | The number of bytes sent from server to client | flow.sc-bytes |
bytes | The total number of bytes transferred | flow.bytes |
time_taken | Number of microseconds, from the end user perspective, that it took to complete a flow event | flow.time-taken |
request_time | Number of microseconds that it took the client to send a request | flow.cs-send-time |
request_ack_time | Number of microseconds it took the server to acknowledge receipt of the request | flow.cs-ack-time |
reply_time | Number of microseconds it took the server to start replying to a request | flow.sc-reply-time |
response_time | Number of microseconds it took the server to send a response | flow.sc-send-time |
response_ack_time | Number of microseconds it took the client to acknowledge receipt of the response | flow.sc-ack-time |
ssl_time | Number of microseconds it took to negotiate an SSL handshake | flow.ssl-time |
ssl_version | SSL protocol version used for encryption; undefined if not encrypted | flow.ssl-version |
ssl_session_id | SSL session ID | flow.ssl-session-id |
ssl_cert_md5 | md5 of SSL certificate | flow.ssl-cert-md5 |
ssl_commonname | Common name with domain name of subject in SSL certificate | flow.ssl-cert-subject-commonname |
ssl_orgname | Organization name of subject in SSL certificate | flow.ssl-cert-subject-orgname |
ssl_issuer | Organization name of issuer in SSL certificate | flow.ssl-cert-issuer-orgname |
ssl_serialnumber | Serial number of SSL certificate | flow.ssl-cert-serialnumber |
ssl_validity_end | SSL certifiate validity end date | flow.ssl-cert-validity-not-after |
ssl_validity_start | SSL certifiate validity start date | flow.ssl-cert-validity-not-before |
data_center_time | Number of microseconds from the last request packet to the last response packet | flow.data-center-time |
client_rtt | Average round trip time, in microseconds, from the client to the point of capture | flow.cp-rtt |
server_rtt | Average round trip time, in microseconds, from the server to the point of capture | flow.ps-rtt |
client_rtt_sum | Sum of all round trip time measurements from the client to the point of capture | flow.cp-rtt-sum |
server_rtt_sum | Sum of all round trip time measurements from the server to the point of capture | flow.ps-rtt-sum |
client_rtt_packets | Number of round trip measurements from the client to the point of capture | flow.cp-rtt-packets |
server_rtt_packets | Number of round trip measurements from the server to the point of capture | flow.ps-rtt-packets |
refused | Number of requests that were refused by the server | flow.refused |
canceled | Number of HTTP responses that were canceled early by the client | flow.canceled |
connection | TCP session server endpoint (IP address and TCP port) | flow.connection |
tcp_status | TCP handshake status (0=OK, 1=RESET, 2=IGNORED) | flow.tcp-status |
protocol | Level 7 protocol name (http, ftp, etc.) | flow.protocol |
transport | Transport layer protocol (udp or tcp) | flow.transport |
UDP
User Datagram Protocol RFC 768
Name | Description | Term |
---|---|---|
src_ip | Client IP Address | flow.c-ip |
dest_ip | Server IP Address | flow.s-ip |
src_port | Client port number | flow.c-port |
dest_port | Server port number | flow.s-port |
src_mac | Client packets MAC address in hexadecimal format | flow.c-mac |
dest_mac | Server packets MAC address in hexadecimal format | flow.s-mac |
packets_in | The total number of packets sent from client to server | flow.cs-packets |
packets_out | The total number of packets sent from server to client | flow.sc-packets |
bytes_in | The number of bytes sent from client to server | flow.cs-bytes |
bytes_out | The number of bytes sent from server to client | flow.sc-bytes |
bytes | The total number of bytes transferred | flow.bytes |
time_taken | Number of microseconds, from the end user perspective, that it took to complete a flow event | flow.time-taken |
protocol | Level 7 protocol name (http, ftp, etc.) | flow.protocol |
transport | Transport layer protocol (udp or tcp) | flow.transport |
Messaging | Streaming Media |
This documentation applies to the following versions of Splunk Stream™: 8.0.1, 8.0.2, 8.1.0, 8.1.1, 8.1.3
Feedback submitted, thanks!