Data Source: Splunk Stream HTTP

Date: 2024-07-18

ID: b0070a33-92ed-49e5-8f38-576cdf300710

Author: Patrick Bareiss, Splunk

Description

Data source object for Splunk Stream HTTP

Details

Property	Value
Source	`stream:http`
Sourcetype	`stream:http`

Supported Apps

Splunk Stream (version 8.1.3)

Event Fields

+ Fields

  <span class="pill kill-chain">_time</span>
  
  <span class="pill kill-chain">bytes</span>
  
  <span class="pill kill-chain">bytes_in</span>
  
  <span class="pill kill-chain">bytes_out</span>
  
  <span class="pill kill-chain">date_hour</span>
  
  <span class="pill kill-chain">date_mday</span>
  
  <span class="pill kill-chain">date_minute</span>
  
  <span class="pill kill-chain">date_month</span>
  
  <span class="pill kill-chain">date_second</span>
  
  <span class="pill kill-chain">date_wday</span>
  
  <span class="pill kill-chain">date_year</span>
  
  <span class="pill kill-chain">date_zone</span>
  
  <span class="pill kill-chain">dest_headers</span>
  
  <span class="pill kill-chain">dest_ip</span>
  
  <span class="pill kill-chain">dest_mac</span>
  
  <span class="pill kill-chain">dest_port</span>
  
  <span class="pill kill-chain">endtime</span>
  
  <span class="pill kill-chain">flow_id</span>
  
  <span class="pill kill-chain">host</span>
  
  <span class="pill kill-chain">http_comment</span>
  
  <span class="pill kill-chain">http_content_length</span>
  
  <span class="pill kill-chain">http_method</span>
  
  <span class="pill kill-chain">http_user_agent</span>
  
  <span class="pill kill-chain">index</span>
  
  <span class="pill kill-chain">linecount</span>
  
  <span class="pill kill-chain">packets_in</span>
  
  <span class="pill kill-chain">packets_out</span>
  
  <span class="pill kill-chain">protocol_stack</span>
  
  <span class="pill kill-chain">punct</span>
  
  <span class="pill kill-chain">site</span>
  
  <span class="pill kill-chain">source</span>
  
  <span class="pill kill-chain">sourcetype</span>
  
  <span class="pill kill-chain">splunk_server</span>
  
  <span class="pill kill-chain">src_headers</span>
  
  <span class="pill kill-chain">src_ip</span>
  
  <span class="pill kill-chain">src_mac</span>
  
  <span class="pill kill-chain">src_port</span>
  
  <span class="pill kill-chain">status</span>
  
  <span class="pill kill-chain">time_taken</span>
  
  <span class="pill kill-chain">timeendpos</span>
  
  <span class="pill kill-chain">timestamp</span>
  
  <span class="pill kill-chain">timestartpos</span>
  
  <span class="pill kill-chain">transport</span>
  
  <span class="pill kill-chain">uri</span>
  
  <span class="pill kill-chain">uri_path</span>
  
</div>

Example Log

1{"endtime":"2021-12-13T17:29:28.499004Z","timestamp":"2021-12-13T17:29:28.453391Z","bytes":2000,"bytes_in":177,"bytes_out":1823,"dest_headers":"HTTP/1.1 200 OK\r\nDate: Mon, 13 Dec 2021 17:29:15 GMT\r\nContent-length: 1745\r\n\r\n","dest_ip":"10.0.1.16","dest_mac":"02:3C:5A:F1:02:C5","dest_port":8080,"flow_id":"db81d2cb-b684-4fac-bb2e-82f355e6de6e","http_comment":"HTTP/1.1 200 OK","http_content_length":1745,"http_method":"GET","http_user_agent":"Java/1.8.0_181","packets_in":5,"packets_out":4,"protocol_stack":"ip:tcp:http","site":"10.0.1.16:8080","src_headers":"GET /ExploitbQPooNZSx3.class HTTP/1.1\r\nUser-Agent: Java/1.8.0_181\r\nHost: 10.0.1.16:8080\r\nAccept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2\r\nConnection: keep-alive\r\n\r\n","src_ip":"10.0.1.25","src_mac":"02:95:98:C5:52:71","src_port":41132,"status":200,"time_taken":45647,"transport":"tcp","uri":"/ExploitbQPooNZSx3.class","uri_path":"/ExploitbQPooNZSx3.class"}

Source: GitHub | Version: 1