Flow Event Fields

These fields contain data about the flow itself.

type: date

example: 2015-01-24 14:06:05.071000

format: YYYY-MM-DDTHH:MM:SS.milliZ

required: True

The time, the first packet for the flow has been seen.

type: date

example: 2015-01-24 14:06:05.071000

format: YYYY-MM-DDTHH:MM:SS.milliZ

required: True

The time, the most recent processed packet for the flow has been seen.

Indicates if event is last event in flow. If final is false, the event reports an intermediate flow state only.

Internal flow id based on connection meta data and address.

Innermost VLAN address used in network packets.

Second innermost VLAN address used in network packets.

Properties of the source host

Source MAC address as indicated by first packet seen for the current flow.

Innermost IPv4 source address as indicated by first packet seen for the current flow.

type: geo_point

example: 40.715, -74.011

The GeoIP location of the ip_source IP address. The field is a string containing the latitude and longitude separated by a comma.

Second innermost IPv4 source address as indicated by first packet seen for the current flow.

type: geo_point

example: 40.715, -74.011

The GeoIP location of the outer_ip_source IP address. The field is a string containing the latitude and longitude separated by a comma.

Innermost IPv6 source address as indicated by first packet seen for the current flow.

type: geo_point

example: 60.715, -76.011

The GeoIP location of the ipv6_source IP address. The field is a string containing the latitude and longitude separated by a comma.

Second innermost IPv6 source address as indicated by first packet seen for the current flow.

type: geo_point

example: 60.715, -76.011

The GeoIP location of the outer_ipv6_source IP address. The field is a string containing the latitude and longitude separated by a comma.

Source port number as indicated by first packet seen for the current flow.

Object with source to destination flow measurements.

type: long

Total number of packets

type: long

Total number of bytes

Properties of the destination host

Destination MAC address as indicated by first packet seen for the current flow.

Innermost IPv4 destination address as indicated by first packet seen for the current flow.

type: geo_point

example: 40.715, -74.011

The GeoIP location of the ip_dest IP address. The field is a string containing the latitude and longitude separated by a comma.

Second innermost IPv4 destination address as indicated by first packet seen for the current flow.

type: geo_point

example: 40.715, -74.011

The GeoIP location of the outer_ip_dest IP address. The field is a string containing the latitude and longitude separated by a comma.

Innermost IPv6 destination address as indicated by first packet seen for the current flow.

type: geo_point

example: 60.715, -76.011

The GeoIP location of the ipv6_dest IP address. The field is a string containing the latitude and longitude separated by a comma.

Second innermost IPv6 destination address as indicated by first packet seen for the current flow.

type: geo_point

example: 60.715, -76.011

The GeoIP location of the outer_ipv6_dest IP address. The field is a string containing the latitude and longitude separated by a comma.

Destination port number as indicated by first packet seen for the current flow.

Object with destination to source flow measurements.

type: long

Total number of packets

type: long

Total number of bytes

ICMP id used in ICMP based flow.

optional TCP connection id