Streaming Media
Splunk App for Stream supports capture of these Streaming Media protocols on Linux, Mac, and Windows. For more information see Configure Streams in the Splunk App for Stream User Manual.
RTP
Real-time Transport Protocol RFC3550
| Name | Description | Term |
|---|---|---|
| lost | Count of lost packets | rtp.lost |
| unseq | Number of mis-ordered packets | rtp.unseq |
| ssrc | SSRC Identifier | rtp.ssrc |
| rtp_timestamp | RTP packet timestamp | rtp.timestamp |
| mos_session | Standard Mean Opinion Score voice quality indicator | rtp.mos-session |
| rfactor | Rfactor indicator value, following the E-model from ITU-T G.107 and G.107.1 | rtp.rfactor |
| snumber | Sequence number of RTP packet | rtp.snumber |
| codec_name | Name of the codec (aka Payload type) | rtp.codec-name |
| end_session | Present in events containing summary information about an RTP session | rtp.end-session |
| codec_index | Number identifying the codec (aka Payload type) | rtp.codec-index |
| session_duration | Call setup duration (in microseconds) | rtp.session-duration |
| bytes | The total number of bytes transferred | flow.bytes |
| src_ip | Source IP Address | flow.c-ip |
| src_mac | Source packets MAC address in hexadecimal format | flow.c-mac |
| src_port | Source port number | flow.c-port |
| bytes_in | The number of bytes sent from client to server | flow.cs-bytes |
| packets_in | Total number of packets sent from client to server | flow.cs-packets |
| network_interface | Name of network interface | flow.interface-name |
| capture_hostname | Hostname where Flow was captured | flow.hostname |
| dest_ip | Destination IP Address | flow.s-ip |
| dest_mac | Destination packets MAC address in hexadecimal format | flow.s-mac |
| dest_port | Destination port number | flow.s-port |
| bytes_out | The number of bytes sent from server to client | flow.sc-bytes |
| packets_out | The total number of packets sent from server to client | flow.sc-packets |
| transport | Transport level protocol | flow.transport |
| vlan_id | VLAN ID from 802.1Q header. With multiple vlan tags, vlan_id is the outermost tag. | flow.vlan-id |
| vlad_tags | All VLAN tags collected from 802.1Q and 802.1ad headers. | flow.vlan-tags |
SIP
Session Initiation Protocol RFC3261
| Name | Description | Term |
|---|---|---|
| src_ip | Client IP Address | flow.c-ip |
| dest_ip | Server IP Address | flow.s-ip |
| src_port | Client port number | flow.c-port |
| dest_port | Server port number | flow.s-port |
| src_mac | Client packets MAC address in hexadecimal format | flow.c-mac |
| dest_mac | Server packets MAC address in hexadecimal format | flow.s-mac |
| packets_in | The total number of packets sent from client to server | flow.cs-packets |
| packets_out | The total number of packets sent from server to client | flow.sc-packets |
| ack_packets_in | The number of acknowledgement packets sent from client to server | flow.cs-ack-packets |
| ack_packets_out | The number of acknowledgement packets sent from server to client | flow.sc-ack-packets |
| missing_packets_in | The number of missing packet gaps detected within the request | flow.cs-missing-packets |
| missing_packets_out | The number of missing packet gaps detected within the response | flow.sc-missing-packets |
| duplicate_packets_in | The number of duplicate packets sent from client to server | flow.cs-duplicate-packets |
| duplicate_packets_out | The number of duplicate packets sent from server to client | flow.sc-duplicate-packets |
| data_packets_in | The number of data packets sent from client to server | flow.cs-data-packets |
| data_packets_out | The number of data packets sent from server to client | flow.sc-data-packets |
| bytes_in | The number of bytes sent from client to server | flow.cs-bytes |
| bytes_out | The number of bytes sent from server to client | flow.sc-bytes |
| bytes | The total number of bytes transferred | flow.bytes |
| time_taken | Number of microseconds, from the end user perspective, that it took to complete a flow event | flow.time-taken |
| request_time | Number of microseconds that it took the client to send a request | flow.cs-send-time |
| request_ack_time | Number of microseconds that it took the server to acknowledge receipt of the request | flow.cs-ack-time |
| reply_time | Number of microseconds that it took the server to start replying to a request | flow.sc-reply-time |
| response_time | Number of microseconds that it took the server to send a response | flow.sc-send-time |
| response_ack_time | Number of microseconds that it took the client to acknowledge receipt of the response | flow.sc-ack-time |
| ssl_time | Number of microseconds that it took to negotiate an SSL handshake | flow.ssl-time |
| ssl_version | SSL protocol version used for encryption; undefined if not encrypted | flow.ssl-version |
| data_center_time | Number of microseconds from the last request packet to the last response packet | flow.data-center-time |
| client_rtt | Average round trip time in microseconds from the client to the point of capture | flow.cp-rtt |
| server_rtt | Average round trip time in microseconds from the server to the point of capture | flow.ps-rtt |
| client_rtt_sum | Sum of all round trip time measurements from the client to the point of capture | flow.cp-rtt-sum |
| server_rtt_sum | Sum of all round trip time measurements from the server to the point of capture | flow.ps-rtt-sum |
| client_rtt_packets | Number of round trip measurements from the client to the point of capture | flow.cp-rtt-packets |
| server_rtt_packets | Number of round trip measurements from the server to the point of capture | flow.ps-rtt-packets |
| refused | Number of requests that were refused by the server | flow.refused |
| canceled | Number of HTTP responses that were canceled early by the client | flow.canceled |
| connection | TCP session server endpoint (IP address and TCP port) | flow.connection |
| tcp_status | TCP handshake status (0=OK, 1=RESET, 2=IGNORED) | flow.tcp-status |
| protocol | Level 7 protocol name (http, ftp, etc.) | flow.protocol |
| transport | Transport layer protocol (udp or tcp) | flow.transport |
| accept_language | Indicates the preferred languages | sip.accept-language |
| alert_info | Specifies an alternative ring tone | sip.alert-info |
| call_duration | Call duration in seconds | sip.call-duration |
| call_id | Call ID, extracted for each call | sip.call-id |
| call_info | Provides additional information about the caller or callee | sip.call-info |
| callee | The identity of the called party for a call | sip.callee |
| callee_addr | IPv4 address which could be used by the called party | sip.callee-addr |
| callee_addr_v6 | IPv6 address which could be used by the called party | sip.callee-addr-v6 |
| callee_domain | Callee's domain | sip.callee-domain |
| callee_e164 | Format of the callee telephone numbers | sip.callee-e164 |
| callee_nickname | Callee nickname | sip.callee-nickname |
| callee_port | Port which could be used by the callee | sip.callee-port |
| callee_server_agent | Server's software used by the callee | sip.callee-server-agent |
| callee_user_agent | Client's software used by the callee | sip.callee-user-agent |
| callee_user_phone | Callee's phone presence flag | sip.callee-user-phone |
| caller | Contains the identity of the initiator of the call | sip.caller |
| caller_addr | IPv4 address that could be used by the initiator of the call | sip.caller-addr |
| caller_addr_v6 | IPv6 address that could be used by the initiator of the call | sip.caller-addr-v6 |
| caller_domain | Caller's domain | sip.caller-domain |
| caller_e164 | Format of the caller's telephone numbers | sip.caller-e164 |
| caller_nickname | Caller nickname | sip.caller-nickname |
| caller_port | Port that could be used by the caller | sip.caller-port |
| caller_server_agent | Server's software in the caller way | sip.caller-server-agent |
| caller_user_agent | Client's software in the caller way | sip.caller-user-agent |
| caller_user_phone | Caller's phone presence flag | sip.caller-user-phone |
| confcall_callee | Callee's name in a confcall | sip.confcall-callee |
| confcall_caller | Caller's name in a confcall | sip.confcall-caller |
| connection_info_addr | Connection IPv4 address | sip.connection-info-addr |
| connection_info_addr_type | Connection address type | sip.connection-info-addr-type |
| connection_info_addr_v6 | Connection IPv6 address | sip.connection-info-addr-v6 |
| connection_info_net_type | Network type for the connection | sip.connection-info-net-type |
| contact | The Contact header field provides a SIP or SIPS URI that can be used to contact that specific instance of the UA for subsequent requests | sip.contact |
| cseq | Sequence number | sip.cseq |
| data_port | Data port for client's protocol | sip.data-port |
| date | Contains the date and time | sip.date |
| end_status | Status of the call end | sip.end-status |
| from | The initiator of the request | sip.from |
| from_tag | A globally unique ID of the caller | sip.from-tag |
| media_attr | Media attributes | sip.media-attr |
| media_attr_addr | The mentioned IPv4 address to be used | sip.media-attr-addr |
| media_attr_addr_v6 | The mentioned IPv6 address to be used | sip.media-attr-addr-v6 |
| media_attr_channel | The channel value | sip.media-attr-channel |
| media_attr_encoding | The encoding of media data | sip.media-attr-encoding |
| media_attr_label | The label for media data | sip.media-attr-label |
| media_attr_param | The param information of media data | sip.media-attr-param |
| media_attr_port | The transport port to be used | sip.media-attr-port |
| media_attr_rate | The encoding rate | sip.media-attr-rate |
| media_attr_type | Contains the media type (audio or video) | sip.media-attr-type |
| media_attr_value | XXX | sip.media-attr-value |
| media_format | Client protocol formats available | sip.media-format |
| media_proto | Protocol used in client stream | sip.media-proto |
| media_type | Contains the media type | sip.media-type |
| method | The command | sip.method |
| mime_type | Data type | sip.mime-type |
| p_asserted_id | Indicates the identity of the trusted SIP server | sip.p-asserted-id |
| proxy_authorization | Allows the client to identify itself (or its user) to a proxy that requires authentication | sip.proxy-authorization |
| reason | The reason a Session Initiation Protocol request was issued | sip.reason |
| record_route | The Record-Route header field is inserted by proxies in a request to force future requests in the dialog to be routed through the proxy | sip.record-route |
| remote_party_id | The IP address of the remote party | sip.remote-party-id |
| reply_code | Return status code | sip.reply-code |
| request_call_id | Call ID extracted for each SIP request | sip.request-call-id |
| server_agent | Server's software | sip.server-agent |
| session_duration | Session duration in seconds | sip.session-duration |
| setup_delay | Call setup delay in microseconds | sip.setup-delay |
| start_time | Start date of the call | sip.start-time |
| subject | The subject present in the SIP packet | sip.subject |
| time_before_spk | Waiting delay before speak, in microseconds | sip.time-before-spk |
| to | The recipient of the request | sip.to |
| to_tag | A globally unique ID of the callee | sip.to-tag |
| uri | Contains the URI (similar to To: field) | sip.uri |
| useragent | Client's software | sip.user-agent |
| user_id | Client identifier used for registering with a SIP server | sip.user-id |
| via | The Via header field indicates the transport used for the transaction and identifies the location where the response is to be sent | sip.via |
| www_authenticate | Contains an authentication challenge | sip.www-authenticate |
Last modified on 03 March, 2022
| Simple Transport | Protocols that map to Splunk CIM |
This documentation applies to the following versions of Splunk Stream™: 8.0.1, 8.0.2, 8.1.0, 8.1.1, 8.1.3
Download manual
Feedback submitted, thanks!