Splunk App for Stream supports capture of these Messaging protocols on Linux, Mac, and Windows. For more information see Configure Streams in the Splunk App for Stream User Manual.
AMQP
Advanced Messaging Queuing Protocol ISO/IEC 19464
| Name | Description | Term |
|---|---|---|
| major_version | Major version of the protocol | amqp.major-version |
| method | Command launched | amqp.method |
| minor_version | Minor version of the protocol | amqp.minor-version |
| response_time | Server response time in microseconds | amqp.response-time |
| bytes | The total number of bytes transferred | flow.bytes |
| src_ip | Client IP Address | flow.c-ip |
| src_mac | Client packets MAC address in hexadecimal format | flow.c-mac |
| src_port | Client port number | flow.c-port |
| bytes_in | The number of bytes sent from client to server | flow.cs-bytes |
| packets_in | The total number of packets sent from client to server | flow.cs-packets |
| dest_ip | Server IP Address | flow.s-ip |
| dest_mac | Server packets MAC address in hexadecimal format | flow.s-mac |
| dest_port | Server port number | flow.s-port |
| bytes_out | The number of bytes sent from server to client | flow.sc-bytes |
| packets_out | The total number of packets sent from server to client | flow.sc-packets |
| time_taken | Number of microseconds, from the end user perspective, that it took to complete a flow event | flow.time-taken |
| transport | Transport level protocol | flow.transport |
IRC
Internet Relay Chat RFC 1459
| Name | Description | Term |
|---|---|---|
| bytes | The total number of bytes transferred | flow.bytes |
| c_ip | IP address of the client in dot-quad notation | flow.c-ip |
| src_mac | Client packets MAC address in hexadecimal format | flow.c-mac |
| src_port | Client port number | flow.c-port |
| canceled | Number of HTTP responses that were canceled early by the client | flow.canceled |
| connection | TCP session server endpoint (IP address and TCP port) | flow.connection |
| client_rtt | Average round trip time, in microseconds, from the client to the point of capture | flow.cp-rtt |
| client_rtt_packets | Number of round trip measurements from the client to the point of capture | flow.cp-rtt-packets |
| client_rtt_sum | Sum of all round trip time measurements from the client to the point of capture | flow.cp-rtt-sum |
| ack_packets_in | The number of acknowledgement packets sent from client to server | flow.cs-ack-packets |
| request_ack_time | Number of microseconds that it took the server to acknowledge receipt of the request | flow.cs-ack-time |
| bytes_in | The number of bytes sent from client to server | flow.cs-bytes |
| data_packets_in | The number of data packets sent from client to server | flow.cs-data-packets |
| duplicate_packets_in | The number of duplicate packets sent from client to server | flow.cs-duplicate-packets |
| missing_packets_in | The number of missing packet gaps detected within the request | flow.cs-missing-packets |
| packets_in | The total number of packets sent from client to server | flow.cs-packets |
| request_time | Number of microseconds it took the client to send a request | flow.cs-send-time |
| server_rtt | Average round trip time, in microseconds, from the server to the point of capture | flow.ps-rtt |
| server_rtt_packets | Number of round trip measurements from the server to the point of capture | flow.ps-rtt-packets |
| server_rtt_sum | Sum of all round trip time measurements from the server to the point of capture | flow.ps-rtt-sum |
| refused | Number of requests that were refused by the server | flow.refused |
| dest_ip | IP address of the server in dot-quad notation | flow.s-ip |
| dest_mac | Server packets MAC address in hexadecimal format | flow.s-mac |
| dest_port | Server port number | flow.s-port |
| ack_packets_out | The number of acknowledgement packets sent from server to client | flow.sc-ack-packets |
| response_ack_time | Number of microseconds that it took the client to acknowledge receipt of the response | flow.sc-ack-time |
| bytes_out | The number of bytes sent from server to client | flow.sc-bytes |
| data_packets_out | The number of data packets sent from server to client | flow.sc-data-packets |
| duplicate_packets_out | The number of duplicate packets sent from server to client | flow.sc-duplicate-packets |
| missing_packets_out | The number of missing packet gaps detected within the response | flow.sc-missing-packets |
| packets_out | The total number of packets sent from server to client | flow.sc-packets |
| reply_time | Number of microseconds that it took the server to start replying to a request | flow.sc-reply-time |
| response_time | Number of microseconds that it took the server to send a response | flow.sc-send-time |
| ssl_time | Number of microseconds that it took to negotiate an SSL handshake | flow.ssl-time |
| ssl_version | SSL protocol version used for encryption; undefined if not encrypted | flow.ssl-version |
| tcp_status | TCP handshake status (0=OK, 1=RESET, 2=IGNORED) | flow.tcp-status |
| time_taken | Number of microseconds, from the end user perspective, that it took to complete a flow event | flow.time-taken |
| transport | Transport layer protocol (udp or tcp) | flow.transport |
| chat_room_name | Chat room name | irc.channel |
| channel_name | Name of the IRC channel | irc.channel-name |
| file_identifier | File correlation key | irc.file-id |
| filename | Name of the transferred file | irc.filename |
| login | User's login string | irc.login |
| login_server | Concatenated login and server | irc.login-server |
| message | Contains the chat message | irc.message |
| mode | Status of the IRC channel | irc.mode-status |
| nickname | User's alias | irc.nick-name |
| receiver | The identity of the receiver for a chat message or a file transfer | irc.receiver |
| sender | The identity of the sender of a chat session or a file transfer | irc.sender |
| server | Server name to which the user is connected | irc.server |
SMPP
Short Message Peer to Peer
| Name | Description | Term |
|---|---|---|
| content | Content of the Short Message | smpp.content |
| receiver | Receiver address | smpp.receiver |
| sender | Sender address | smpp.sender |
| bytes | Total number of bytes transferred | flow.bytes |
| src_ip | Client IP Address | flow.c-ip |
| src_mac | Client packets MAC address in hexadecimal format | flow.c-mac |
| src_port | Client port number | flow.c-port |
| bytes_in | The number of bytes sent from client to server | flow.cs-bytes |
| packets_in | The total number of packets sent from client to server | flow.cs-packets |
| dest_ip | Server IP Address | flow.s-ip |
| dest_mac | Server packets MAC address in hexadecimal format | flow.s-mac |
| dest_port | Server port number | flow.s-port |
| bytes_out | The number of bytes sent from server to client | flow.sc-bytes |
| packets_out | The total number of packets sent from server to client | flow.sc-packets |
| time_taken | Number of microseconds, from the end user perspective, that it took to complete a flow event | flow.time-taken |
| transport | Transport level protocol | flow.transport |
XMPP
Extensible Messaging and Presence Protocol RFC 6120
| Name | Description | Term |
|---|---|---|
| bytes | The total number of bytes transferred | flow.bytes |
| c_ip | IP address of the client in dot-quad notation | flow.c-ip |
| src_mac | Client packets MAC address in hexadecimal format | flow.c-mac |
| src_port | Client port number | flow.c-port |
| canceled | Number of HTTP responses that were canceled early by the client | flow.canceled |
| connection | TCP session server endpoint (IP address and TCP port) | flow.connection |
| client_rtt | Average round trip time, in microseconds, from the client to the point of capture | flow.cp-rtt |
| client_rtt_packets | Number of round trip measurements from the client to the point of capture | flow.cp-rtt-packets |
| client_rtt_sum | Sum of all round trip time measurements from the client to the point of capture | flow.cp-rtt-sum |
| ack_packets_in | The number of acknowledgement packets sent from client to server | flow.cs-ack-packets |
| request_ack_time | Number of microseconds that it took the server to acknowledge receipt of the request | flow.cs-ack-time |
| bytes_in | The number of bytes sent from client to server | flow.cs-bytes |
| data_packets_in | The number of data packets sent from client to server | flow.cs-data-packets |
| duplicate_packets_in | The number of duplicate packets sent from client to server | flow.cs-duplicate-packets |
| missing_packets_in | The number of missing packet gaps detected within the request | flow.cs-missing-packets |
| packets_in | The total number of packets sent from client to server | flow.cs-packets |
| request_time | Number of microseconds it took the client to send a request | flow.cs-send-time |
| server_rtt | Average round trip time, in microseconds, from the server to the point of capture | flow.ps-rtt |
| server_rtt_packets | Number of round trip measurements from the server to the point of capture | flow.ps-rtt-packets |
| server_rtt_sum | Sum of all round trip time measurements from the server to the point of capture | flow.ps-rtt-sum |
| refused | Number of requests that were refused by the server | flow.refused |
| dest_ip | IP address of the server in dot-quad notation | flow.s-ip |
| dest_mac | Server packets MAC address in hexadecimal format | flow.s-mac |
| dest_port | Server port number | flow.s-port |
| ack_packets_out | The number of acknowledgement packets sent from server to client | flow.sc-ack-packets |
| response_ack_time | Number of microseconds that it took the client to acknowledge receipt of the response | flow.sc-ack-time |
| bytes_out | The number of bytes sent from server to client | flow.sc-bytes |
| data_packets_out | The number of data packets sent from server to client | flow.sc-data-packets |
| duplicate_packets_out | The number of duplicate packets sent from server to client | flow.sc-duplicate-packets |
| missing_packets_out | The number of missing packet gaps detected within the response | flow.sc-missing-packets |
| packets_out | The total number of packets sent from server to client | flow.sc-packets |
| reply_time | Number of microseconds it took the server to start replying to a request | flow.sc-reply-time |
| response_time | Number of microseconds it took the server to send a response | flow.sc-send-time |
| ssl_time | Number of microseconds it took to negotiate an SSL handshake | flow.ssl-time |
| ssl_version | SSL protocol version used for encryption, or undefined if not encrypted | flow.ssl-version |
| tcp_status | TCP handshake status (0=OK, 1=RESET, 2=IGNORED) | flow.tcp-status |
| time_taken | Number of microseconds, from the end user perspective, that it took to complete a flow event | flow.time-taken |
| transport | Transport layer protocol (udp or tcp) | flow.transport |
| call_duration | Contains call duration in microseconds | xmpp.call-duration |
| call_id | Contains call ID, extracted for each call | xmpp.call-id |
| callee | Contains the identity (or the phone number) of the called party for a call | xmpp.callee |
| callee_addr | Contains address that could be used by the called party | xmpp.callee-address |
| callee_port | Contains port on which the callee could receive a call | xmpp.callee-port |
| caller | Contains the identity (or the phone number) of the initiator of the call | xmpp.caller |
| caller_addr | Contains address which could be used by the initiator of the call | xmpp.caller-address |
| caller_port | Contains port on which the caller could start the call | xmpp.caller-port |
| os | Contains the client operating system | xmpp.client-os |
| contact_login | Contact login | xmpp.contact-login |
| contact_name | Contact name | xmpp.contact-name |
| contact_status | Contact status | xmpp.contact-status |
| file_chunk_content | Contains content of the transferred data | xmpp.file-chunk-content |
| file_chunk_len | Contains size of the transferred piece | xmpp.file-chunk-length |
| file_chunk_sid | Transferred file identifier | xmpp.file-chunk-sid |
| file_sender | Contains the identity of the sender of a file transfer | xmpp.file-sender |
| file_sid | Contains transferred file identifier | xmpp.file-sid |
| filesize | Contains size (byte) of the transferred file | xmpp.file-size |
| filename | Contains the name of the transferred file | xmpp.filename |
| login | User's login string | xmpp.login |
| message | Contains the chat message | xmpp.message |
| encoding | Message encoding | xmpp.message-encoding |
| nickname | Used user name | xmpp.nickname |
| receiver | Contains the identity of the receiver of a chat message or a file transfer | xmpp.receiver |
| sender | Contains the identity of the sender of a chat session or a file transfer | xmpp.sender |
| start_time | Contains start date of the call | xmpp.start-time |
| version | JABBER software version | xmpp.version |
For instructions on configuring passive capture of supported protocol data, see "Configure Streams" in the Splunk App for Stream User Manual .
