Community ID Network Flow Hash
editCommunity ID Network Flow Hash
editThe community_id
processor computes a network flow hash according to the
Community ID Flow Hash
specification.
The flow hash is useful for correlating all network events related to a single flow. For example, you can filter on a community ID value and you might get back the Netflow records from multiple collectors and layer 7 protocol records from the Network Packet Capture integration.
By default the processor is configured to read the flow parameters from the appropriate Elastic Common Schema (ECS) fields. If you are processing ECS data, no parameters are required.
Examples
edit- community_id:
If the data does not conform to ECS, you can customize the field names that the processor reads from. You can also change the target field that the computed hash is written to. For example:
- community_id: fields: source_ip: my_source_ip source_port: my_source_port destination_ip: my_dest_ip destination_port: my_dest_port iana_number: my_iana_number transport: my_transport icmp_type: my_icmp_type icmp_code: my_icmp_code target: network.community_id
If the necessary fields are not present in the event, the processor silently continues without adding the target field.
Configuration settings
editElastic Agent processors execute before ingest pipelines, which means that they process the raw event data rather than the final event sent to Elasticsearch. For related limitations, refer to What are some limitations of using processors?
Name | Required | Default | Description |
---|---|---|---|
|
No |
Field names that the processor reads from:
|
|
|
No |
Field that the computed hash is written to. |
|
|
No |
Seed for the community ID hash. Must be between 0 and 65535 (inclusive). The seed can prevent hash collisions between network domains, such as a staging and production network that use the same addressing scheme. This setting results in a 16-bit unsigned integer that gets incorporated into all generated hashes. |