Splunk Stream search syntax
The table summarizes Stream source and sourcetype search syntax.
| Stream 6.1.0 or later | Example | |
| Syntax | source=stream:<stream-id> sourcetype=stream:<protocol> | |
| Search for a specific <stream-id> | source=stream:<stream-id> | source=stream:http, source=stream:tcp |
| Search for all <protocol> streams | sourcetype=stream:<protocol> | sourcetype=stream:http, sourcetype=stream:tcp |
Note: The name that Stream assigns to an individual <stream-id> is the same as the underlying protocol.
How NetFlow timestamp data is processed
When any of the following fields are in a your NetFlow data, the Stream forwarder for the event sets the Splunk timestamp field to the value contained in the NetFlow flowStart* field and the Splunk endtime field value to be the value contained in the NetFlow flowEnd* field.
-
flowStartSeconds -
flowEndSeconds -
flowStartMilliseconds -
flowEndMilliseconds -
flowStartMicroseconds -
flowEndMicroseconds -
flowStartNanoseconds -
flowEndNanoseconds
For NetFlow records that are not flow related, when observationTime* fields are available, Stream forwarder sets the Splunk timestamp and endtime fields to the NetFlow observationTime*.
If both flowStart* and observationTime* fields are in your NetFlow data, then Stream forwarder sets the Splunk Search timestamp to be the NetFlow flowStart* and the Splunk Search endtime field to contain the NetFlow observationTime* value.
If none of the above fields are present, and a NetFlow record has any of the following fields:
- "first switch"(flowStartSysUpTime),
- "last switch"(flowEndSysUpTime),
- "system uptime"
- "current device time in unix epoch"
then Stream forwarder calculates the Splunk Search timestamp and endtime as follows:
timestamp= ("device time in unix epoch" - "system uptime") + "first switched"(flowStartSysUpTime)endtime= ("device time in unix epoch" - "system uptime") + "last switched"(flowEndSysUpTime)