IMPORTANT: No additional bug fixes or documentation updates will be released for this version. For the latest information, see the current release documentation.
« Docker fields Host fields »
Elastic Docs Packetbeat Reference [6.3] Exported fields

Flow Event fields

edit
IMPORTANT: This documentation is no longer updated. Refer to Elastic's version policy and the latest documentation.

Flow Event fields

edit

These fields contain data about the flow itself.

start_time

type: date

example: 2015-01-24 14:06:05.071000

format: YYYY-MM-DDTHH:MM:SS.milliZ

required: True

The time, the first packet for the flow has been seen.

last_time

type: date

example: 2015-01-24 14:06:05.071000

format: YYYY-MM-DDTHH:MM:SS.milliZ

required: True

The time, the most recent processed packet for the flow has been seen.

final

Indicates if event is last event in flow. If final is false, the event reports an intermediate flow state only.

flow_id

Internal flow id based on connection meta data and address.

vlan

Innermost VLAN address used in network packets.

outer_vlan

Second innermost VLAN address used in network packets.

source fields

edit

Properties of the source host

source.mac

Source MAC address as indicated by first packet seen for the current flow.

source.ip

Innermost IPv4 source address as indicated by first packet seen for the current flow.

source.ip_location

type: geo_point

example: 40.715, -74.011

The GeoIP location of the ip_source IP address. The field is a string containing the latitude and longitude separated by a comma.

source.outer_ip

Second innermost IPv4 source address as indicated by first packet seen for the current flow.

source.outer_ip_location

type: geo_point

example: 40.715, -74.011

The GeoIP location of the outer_ip_source IP address. The field is a string containing the latitude and longitude separated by a comma.

source.ipv6

Innermost IPv6 source address as indicated by first packet seen for the current flow.

source.ipv6_location

type: geo_point

example: 60.715, -76.011

The GeoIP location of the ipv6_source IP address. The field is a string containing the latitude and longitude separated by a comma.

source.outer_ipv6

Second innermost IPv6 source address as indicated by first packet seen for the current flow.

source.outer_ipv6_location

type: geo_point

example: 60.715, -76.011

The GeoIP location of the outer_ipv6_source IP address. The field is a string containing the latitude and longitude separated by a comma.

source.port

Source port number as indicated by first packet seen for the current flow.

stats fields

edit

Object with source to destination flow measurements.

source.stats.net_packets_total

type: long

Total number of packets

source.stats.net_bytes_total

type: long

Total number of bytes

dest fields

edit

Properties of the destination host

dest.mac

Destination MAC address as indicated by first packet seen for the current flow.

dest.ip

Innermost IPv4 destination address as indicated by first packet seen for the current flow.

dest.ip_location

type: geo_point

example: 40.715, -74.011

The GeoIP location of the ip_dest IP address. The field is a string containing the latitude and longitude separated by a comma.

dest.outer_ip

Second innermost IPv4 destination address as indicated by first packet seen for the current flow.

dest.outer_ip_location

type: geo_point

example: 40.715, -74.011

The GeoIP location of the outer_ip_dest IP address. The field is a string containing the latitude and longitude separated by a comma.

dest.ipv6

Innermost IPv6 destination address as indicated by first packet seen for the current flow.

dest.ipv6_location

type: geo_point

example: 60.715, -76.011

The GeoIP location of the ipv6_dest IP address. The field is a string containing the latitude and longitude separated by a comma.

dest.outer_ipv6

Second innermost IPv6 destination address as indicated by first packet seen for the current flow.

dest.outer_ipv6_location

type: geo_point

example: 60.715, -76.011

The GeoIP location of the outer_ipv6_dest IP address. The field is a string containing the latitude and longitude separated by a comma.

dest.port

Destination port number as indicated by first packet seen for the current flow.

stats fields

edit

Object with destination to source flow measurements.

dest.stats.net_packets_total

type: long

Total number of packets

dest.stats.net_bytes_total

type: long

Total number of bytes

icmp_id

ICMP id used in ICMP based flow.

connection_id

optional TCP connection id

« Docker fields Host fields »