- Packetbeat Reference: other versions:
- Overview
- Getting started with Packetbeat
- Setting up and running Packetbeat
- Upgrading Packetbeat
- Configuring Packetbeat
- Set traffic capturing options
- Set up flows to monitor network traffic
- Specify which transaction protocols to monitor
- Specify which processes to monitor
- Specify general settings
- Configure the internal queue
- Configure the output
- Configure index lifecycle management
- Specify SSL settings
- Filter and enhance the exported data
- Define processors
- Add cloud metadata
- Add fields
- Add labels
- Add the local time zone
- Add tags
- Decode JSON fields
- Drop events
- Drop fields from events
- Keep fields from events
- Rename fields from events
- Add Kubernetes metadata
- Add Docker metadata
- Add Host metadata
- Dissect strings
- DNS Reverse Lookup
- Add process metadata
- Parse data by using ingest node
- Enrich events with geoIP information
- Configure project paths
- Configure the Kibana endpoint
- Load the Kibana dashboards
- Load the Elasticsearch index template
- Configure logging
- Use environment variables in the configuration
- YAML tips and gotchas
- HTTP Endpoint
- packetbeat.reference.yml
- Exported fields
- AMQP fields
- Beat fields
- Cassandra fields
- Cloud provider metadata fields
- Common fields
- DHCPv4 fields
- DNS fields
- Docker fields
- ECS fields
- Flow Event fields
- Host fields
- HTTP fields
- ICMP fields
- Kubernetes fields
- Memcache fields
- MongoDb fields
- MySQL fields
- NFS fields
- PostgreSQL fields
- Process fields
- Raw fields
- Redis fields
- Thrift-RPC fields
- TLS fields
- Transaction Event fields
- Measurements (Transactions) fields
- Monitoring Packetbeat
- Securing Packetbeat
- Visualizing Packetbeat data in Kibana
- Troubleshooting
- Contributing to Beats
IMPORTANT: No additional bug fixes or documentation updates
will be released for this version. For the latest information, see the
current release documentation.
Flow Event fields
editFlow Event fields
editThese fields contain data about the flow itself.
-
flow.final -
type: boolean
Indicates if event is last event in flow. If final is false, the event reports an intermediate flow state only.
-
flow.id -
Internal flow ID based on connection meta data and address.
-
flow.vlan -
type: long
VLAN identifier from the 802.1q frame. In case of a multi-tagged frame this field will be an array with the outer tag’s VLAN identifier listed first.
-
flow_id -
type: alias
alias to: flow.id
-
final -
type: alias
alias to: flow.final
-
vlan -
type: alias
alias to: flow.vlan
-
source.stats.net_bytes_total -
type: alias
alias to: source.bytes
-
source.stats.net_packets_total -
type: alias
alias to: source.packets
-
dest.stats.net_bytes_total -
type: alias
alias to: destination.bytes
-
dest.stats.net_packets_total -
type: alias
alias to: destination.packets
Was this helpful?
Thank you for your feedback.