WARNING: Version 6.1 of Packetbeat has passed its EOL date.
This documentation is no longer being maintained and may be removed. If you are running this version, we strongly advise you to upgrade. For the latest information, see the current release documentation.
Flow Event fieldsedit
These fields contain data about the flow itself.
start_time
edit
type: date
example: 2015-01-24 14:06:05.071000
format: YYYY-MM-DDTHH:MM:SS.milliZ
required: True
The time, the first packet for the flow has been seen.
last_time
edit
type: date
example: 2015-01-24 14:06:05.071000
format: YYYY-MM-DDTHH:MM:SS.milliZ
required: True
The time, the most recent processed packet for the flow has been seen.
final
edit
Indicates if event is last event in flow. If final is false, the event reports an intermediate flow state only.
flow_id
edit
Internal flow id based on connection meta data and address.
vlan
edit
Innermost VLAN address used in network packets.
outer_vlan
edit
Second innermost VLAN address used in network packets.
source fieldsedit
Properties of the source host
source.mac
edit
Source MAC address as indicated by first packet seen for the current flow.
source.ip
edit
Innermost IPv4 source address as indicated by first packet seen for the current flow.
source.ip_location
edit
type: geo_point
example: 40.715, -74.011
The GeoIP location of the ip_source
IP address. The field is a string containing the latitude and longitude separated by a comma.
source.outer_ip
edit
Second innermost IPv4 source address as indicated by first packet seen for the current flow.
source.outer_ip_location
edit
type: geo_point
example: 40.715, -74.011
The GeoIP location of the outer_ip_source
IP address. The field is a string containing the latitude and longitude separated by a comma.
source.ipv6
edit
Innermost IPv6 source address as indicated by first packet seen for the current flow.
source.ipv6_location
edit
type: geo_point
example: 60.715, -76.011
The GeoIP location of the ipv6_source
IP address. The field is a string containing the latitude and longitude separated by a comma.
source.outer_ipv6
edit
Second innermost IPv6 source address as indicated by first packet seen for the current flow.
source.outer_ipv6_location
edit
type: geo_point
example: 60.715, -76.011
The GeoIP location of the outer_ipv6_source
IP address. The field is a string containing the latitude and longitude separated by a comma.
source.port
edit
Source port number as indicated by first packet seen for the current flow.
stats fieldsedit
Object with source to destination flow measurements.
source.stats.net_packets_total
edit
type: long
Total number of packets
source.stats.net_bytes_total
edit
type: long
Total number of bytes
dest fieldsedit
Properties of the destination host
dest.mac
edit
Destination MAC address as indicated by first packet seen for the current flow.
dest.ip
edit
Innermost IPv4 destination address as indicated by first packet seen for the current flow.
dest.ip_location
edit
type: geo_point
example: 40.715, -74.011
The GeoIP location of the ip_dest
IP address. The field is a string containing the latitude and longitude separated by a comma.
dest.outer_ip
edit
Second innermost IPv4 destination address as indicated by first packet seen for the current flow.
dest.outer_ip_location
edit
type: geo_point
example: 40.715, -74.011
The GeoIP location of the outer_ip_dest
IP address. The field is a string containing the latitude and longitude separated by a comma.
dest.ipv6
edit
Innermost IPv6 destination address as indicated by first packet seen for the current flow.
dest.ipv6_location
edit
type: geo_point
example: 60.715, -76.011
The GeoIP location of the ipv6_dest
IP address. The field is a string containing the latitude and longitude separated by a comma.
dest.outer_ipv6
edit
Second innermost IPv6 destination address as indicated by first packet seen for the current flow.
dest.outer_ipv6_location
edit
type: geo_point
example: 60.715, -76.011
The GeoIP location of the outer_ipv6_dest
IP address. The field is a string containing the latitude and longitude separated by a comma.
dest.port
edit
Destination port number as indicated by first packet seen for the current flow.
stats fieldsedit
Object with destination to source flow measurements.
dest.stats.net_packets_total
edit
type: long
Total number of packets
dest.stats.net_bytes_total
edit
type: long
Total number of bytes
icmp_id
edit
ICMP id used in ICMP based flow.
connection_id
edit
optional TCP connection id