Community ID Network Flow Hash
editCommunity ID Network Flow Hash
editThe community_id processor computes a network flow hash according to the
Community ID Flow Hash
specification.
The flow hash is useful for correlating all network events related to a single flow. For example, you can filter on a community ID value and you might get back the Netflow records from multiple collectors and layer 7 protocol records from the Network Packet Capture integration.
By default the processor is configured to read the flow parameters from the appropriate Elastic Common Schema (ECS) fields. If you are processing ECS data, no parameters are required.
Examples
edit- community_id:
If the data does not conform to ECS, you can customize the field names that the processor reads from. You can also change the target field that the computed hash is written to. For example:
- community_id:
fields:
source_ip: my_source_ip
source_port: my_source_port
destination_ip: my_dest_ip
destination_port: my_dest_port
iana_number: my_iana_number
transport: my_transport
icmp_type: my_icmp_type
icmp_code: my_icmp_code
target: network.community_id
If the necessary fields are not present in the event, the processor silently continues without adding the target field.
Configuration settings
editElastic Agent processors execute before ingest pipelines, which means that they process the raw event data rather than the final event sent to Elasticsearch. For related limitations, refer to What are some limitations of using processors?
| Name | Required | Default | Description |
|---|---|---|---|
|
No |
Field names that the processor reads from:
|
|
|
No |
Field that the computed hash is written to. |
|
|
No |
Seed for the community ID hash. Must be between 0 and 65535 (inclusive). The seed can prevent hash collisions between network domains, such as a staging and production network that use the same addressing scheme. This setting results in a 16-bit unsigned integer that gets incorporated into all generated hashes. |