Splunk Stream

Installation and Configuration Manual

Splunk Stream search syntax

The table summarizes Stream source and sourcetype search syntax.

Stream 6.1.0 or later Example
Syntax source=stream:<stream-id> sourcetype=stream:<protocol>
Search for a specific <stream-id> source=stream:<stream-id> source=stream:http, source=stream:tcp
Search for all <protocol> streams sourcetype=stream:<protocol> sourcetype=stream:http, sourcetype=stream:tcp

Note: The name that Stream assigns to an individual <stream-id> is the same as the underlying protocol.

How NetFlow timestamp data is processed

When any of the following fields are in a your NetFlow data, the Stream forwarder for the event sets the Splunk timestamp field to the value contained in the NetFlow flowStart* field and the Splunk endtime field value to be the value contained in the NetFlow flowEnd* field.

  • flowStartSeconds
  • flowEndSeconds
  • flowStartMilliseconds
  • flowEndMilliseconds
  • flowStartMicroseconds
  • flowEndMicroseconds
  • flowStartNanoseconds
  • flowEndNanoseconds

For NetFlow records that are not flow related, when observationTime* fields are available, Stream forwarder sets the Splunk timestamp and endtime fields to the NetFlow observationTime*.

If both flowStart* and observationTime* fields are in your NetFlow data, then Stream forwarder sets the Splunk Search timestamp to be the NetFlow flowStart* and the Splunk Search endtime field to contain the NetFlow observationTime* value.

If none of the above fields are present, and a NetFlow record has any of the following fields:

  • "first switch"(flowStartSysUpTime),
  • "last switch"(flowEndSysUpTime),
  • "system uptime"
  • "current device time in unix epoch"

then Stream forwarder calculates the Splunk Search timestamp and endtime as follows:

  • timestamp = ("device time in unix epoch" - "system uptime") + "first switched"(flowStartSysUpTime)
  • endtime = ("device time in unix epoch" - "system uptime") + "last switched"(flowEndSysUpTime)
Last modified on 03 March, 2022
Splunk Stream REST API reference   FAQ

This documentation applies to the following versions of Splunk Stream: 8.0.1, 8.0.2, 8.1.0, 8.1.1, 8.1.3

Acrobat logo Download manual
Acrobat logo Download this page

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters