Flow Event fieldsedit

These fields contain data about the flow itself.

start_time

type: date

example: 2015-01-24 14:06:05.071000

format: YYYY-MM-DDTHH:MM:SS.milliZ

required: True

The time, the first packet for the flow has been seen.

last_time

type: date

example: 2015-01-24 14:06:05.071000

format: YYYY-MM-DDTHH:MM:SS.milliZ

required: True

The time, the most recent processed packet for the flow has been seen.

final
Indicates if event is last event in flow. If final is false, the event reports an intermediate flow state only.
flow_id
Internal flow id based on connection meta data and address.
vlan
Innermost VLAN address used in network packets.
outer_vlan
Second innermost VLAN address used in network packets.

source fieldsedit

Properties of the source host

source.mac
Source MAC address as indicated by first packet seen for the current flow.
source.ip
Innermost IPv4 source address as indicated by first packet seen for the current flow.
source.ip_location

type: geo_point

example: 40.715, -74.011

The GeoIP location of the ip_source IP address. The field is a string containing the latitude and longitude separated by a comma.

source.outer_ip
Second innermost IPv4 source address as indicated by first packet seen for the current flow.
source.outer_ip_location

type: geo_point

example: 40.715, -74.011

The GeoIP location of the outer_ip_source IP address. The field is a string containing the latitude and longitude separated by a comma.

source.ipv6
Innermost IPv6 source address as indicated by first packet seen for the current flow.
source.ipv6_location

type: geo_point

example: 60.715, -76.011

The GeoIP location of the ipv6_source IP address. The field is a string containing the latitude and longitude separated by a comma.

source.outer_ipv6
Second innermost IPv6 source address as indicated by first packet seen for the current flow.
source.outer_ipv6_location

type: geo_point

example: 60.715, -76.011

The GeoIP location of the outer_ipv6_source IP address. The field is a string containing the latitude and longitude separated by a comma.

source.port
Source port number as indicated by first packet seen for the current flow.

stats fieldsedit

Object with source to destination flow measurements.

source.stats.net_packets_total

type: long

Total number of packets

source.stats.net_bytes_total

type: long

Total number of bytes

dest fieldsedit

Properties of the destination host

dest.mac
Destination MAC address as indicated by first packet seen for the current flow.
dest.ip
Innermost IPv4 destination address as indicated by first packet seen for the current flow.
dest.ip_location

type: geo_point

example: 40.715, -74.011

The GeoIP location of the ip_dest IP address. The field is a string containing the latitude and longitude separated by a comma.

dest.outer_ip
Second innermost IPv4 destination address as indicated by first packet seen for the current flow.
dest.outer_ip_location

type: geo_point

example: 40.715, -74.011

The GeoIP location of the outer_ip_dest IP address. The field is a string containing the latitude and longitude separated by a comma.

dest.ipv6
Innermost IPv6 destination address as indicated by first packet seen for the current flow.
dest.ipv6_location

type: geo_point

example: 60.715, -76.011

The GeoIP location of the ipv6_dest IP address. The field is a string containing the latitude and longitude separated by a comma.

dest.outer_ipv6
Second innermost IPv6 destination address as indicated by first packet seen for the current flow.
dest.outer_ipv6_location

type: geo_point

example: 60.715, -76.011

The GeoIP location of the outer_ipv6_dest IP address. The field is a string containing the latitude and longitude separated by a comma.

dest.port
Destination port number as indicated by first packet seen for the current flow.

stats fieldsedit

Object with destination to source flow measurements.

dest.stats.net_packets_total

type: long

Total number of packets

dest.stats.net_bytes_total

type: long

Total number of bytes

icmp_id
ICMP id used in ICMP based flow.
connection_id
optional TCP connection id