Columns and Filters
This is where you define filters to narrow-down the search results. Click the (?) icon next to the word Filters for all possible dimensions. For any User Labels data, those columns will also be available for the appropriate intervals. This input also supports and, or, not, and parenthesis keywords, use these to express more complex filters. For example, a direction-agnostic filter between IP 1.1.1.1 and 2.2.2.2 can be written:
Consumer Address = 1.1.1.1 and Provider Address = 2.2.2.2 or Consumer Address = 2.2.2.2 and Provider Address = 1.1.1.1
And to additionally filter on Protocol = TCP:
(Consumer Address = 1.1.1.1 and Provider Address = 2.2.2.2 or Consumer Address = 2.2.2.2 and Provider Address = 1.1.1.1) and Protocol = TCP
The filter input also supports “,” and “-” for Port, Consumer Address and Provider Address, by translating “-” into range queries. The following are examples of a valid filter:
|
Columns (Names exposed in API) |
Description |
Source |
|---|---|---|
|
Consumer Address (src_address) |
Enter a subnet or IP Address using CIDR notation (for example, 10.11.12.0/24). Matches flow observations whose consumer address overlaps with the provided IP Address or subnet. |
Software Agents and Ingest Appliances |
|
Provider Address (dst_address) |
Enter a subnet or IP Address using CIDR notation (for example, 10.11.12.0/24) Matches flow observations whose provider address overlaps with the provided IP address or subnet. |
Software Agents and Ingest Appliances |
|
Consumer Name |
Matches flow observations whose consumer workload name overlaps with the entered consumer workload name. |
Software Agents and AnyConnect Connector |
|
Provider Name |
Matches flow observations whose provider workload name overlaps with the entered provider workload name. |
Software Agents and AnyConnect Connector |
|
Consumer User |
Matches flow observations whose consumer name overlaps with the entered consumer name who generated the flow. |
Software Agents and AnyConnect Connector |
|
Provider User |
Matches flow observations whose provider name overlaps with the entered provider name who handled the flow. |
Software Agents and AnyConnect Connector |
|
Consumer Domain Name |
Matches flow observations whose consumer domain name (associated with the consumer IP address or subnet) overlaps with the entered consumer domain name. |
Software Agents and AnyConnect Connector |
|
Provider Domain Name |
Matches flow observations whose provider domain name (associated with the provider IP address/subnet) overlaps with the entered provider domain name. |
Software Agents and AnyConnect Connector |
|
Consumer Hostname (src_hostname) |
Matches flows whose consumer hostname overlaps with the provided hostname. |
Software Agents and AnyConnect Connector |
|
Provider Hostname (dst_hostname) |
Matches flows whose provider hostname overlaps with the provided hostname. |
Software Agents and AnyConnect Connector |
|
Consumer Malicious |
If the value is true, the IP address of the consumer is known to be malicious. |
Internal |
|
Provider Malicious |
If the value is true, the IP address of the provider is known to be malicious. |
Internal |
|
Consumer Enforcement Group (src_enforcement_epg_name) |
The Consumer Enforcement Group is the name of the filter (Scope, Inventory Filter or Cluster) in the enforced policies that matches the consumer. |
Internal |
|
Provider Enforcement Group (dst_enforcement_epg_name) |
The Provider Enforcement Group is the name of the filter (Scope, Inventory Filter or Cluster) in the enforced policies that matches the provider. |
Internal |
|
Consumer Analysis Group |
The Consumer Analysis Group is the name of the filter (Scope, Inventory Filter, or Cluster) in the analyzed policies that matches the consumer. |
Internal |
|
Provider Analysis Group |
The Provider Analysis Group is the name of the filter (Scope, Inventory Filter or Cluster) in the analyzed policies that matches the provider. |
Internal |
|
Consumer Scope (src_scope_name) |
Matches flows whose consumer belongs to the specified Scope. |
Internal |
|
Provider Scope (dst_scope_name) |
Matches flows whose provider belongs to the specified Scope. |
Internal |
|
Consumer Port (src_port) |
Matches flows whose Consumer port overlaps with the provided port. |
Software Agents, ERSPAN, and NetFlow |
|
Provider Port (dst_port) |
Matches flows whose Provider port overlaps with the provided port. |
Software Agents, ERSPAN, and NetFlow |
|
Consumer Country (src_country) |
Matches flows whose Consumer country overlaps with the provided country. |
Internal |
|
Provider Country (dst_country) |
Matches flows whose Provider country overlaps with the provided country. |
Internal |
|
Consumer Subdivision (src_subdivision) |
Matches flows whose Consumer subdivision overlaps with the provided subdivision (state). |
Internal |
|
Provider Subdivision (dst_subdivision) |
Matches flows whose Provider subdivision overlaps with the provided subdivision (state). |
Internal |
|
Consumer Autonomous System Organization (src_ autonomous_system_organization) |
Matches flows whose Consumer autonomous system organization overlaps with provided autonomous system organization (ASO). |
Internal |
|
Provider Autonomous System Organization (dst_autonomous_system_organization) |
Matches flows whose Provider autonomous system organization overlaps with provided autonomous system organization (ASO). |
Internal |
|
Protocol (proto) |
Filter flow observations by Protocol type (TCP, UDP, ICMP). |
Software Agents and Ingest Appliances |
|
Address Type (key_type) |
Filter flow observations by Address type (IPv4, IPv6, DHCPv4). |
Software Agents and Ingest Appliances |
|
Fwd TCP Flags |
Filter flow observations by flags (SYN, ACK, ECHO). |
Software Agents, ERSPAN, and NetFlow |
|
Rev TCP Flags |
Filter flow observations by flags (SYN, ACK, ECHO). |
Software Agents, ERSPAN, and NetFlow |
|
Fwd Process UID (fwd_process_owner) |
Filter flow observations by process owner UID (root, admin, yarn, mapred). |
Software Agents |
|
Rev Process UID (rev_process_owner) |
Filter flow observations by process owner UID (root, admin, yarn, mapred). |
Software Agents |
|
Fwd Process (fwd_process_string) |
Filter flow observations by process (java, hadoop, nginx). See Process String Visibility Warning |
Software Agents |
|
Rev Process (rev_process_string) |
Filter flow observations by process (java, hadoop, nginx). See Process String Visibility Warning |
Software Agents |
|
Consumer In Collection Rules? |
Match only internal Consumers. |
Internal |
|
Provider In Collection Rules? |
Match only internal Providers. |
Internal |
|
SRTT Available |
Matches flows which have SRTT measurements available using the values ‘true’ or ‘false’. (This is equivalent to SRTT > 0). |
Internal |
|
Bytes |
Filter flow observations by Byte traffic bucket. Matches flows whichByte traffic bucket values are =, <, > (bucketed by powers of 2 (0, 2, 64, 1024)). |
Software Agent and Ingest Appliances |
|
Packets |
Filter flow observations by Packet traffic bucket. Matches flows which Packet traffic bucket values are =, <, > (bucketed by powers of 2 (0, 2, 64, 1024)). |
Software Agent and Ingest Appliances |
|
Flow Duration (µs) |
Filter flow observations by Flow Duration bucket. Matches flows which Flow Duration bucket values are =, <, > (bucketed by powers of 2 (0, 2, 64, 1024). |
Internal |
|
Data Duration (µs) |
Filter flow observations by Data Duration bucket. Matches flows which Data Duration bucket values are =, <, > (bucketed by powers of 2 (0, 2, 64, 1024). |
Internal |
|
SRTT (µs) (srtt_dim_usec) |
Filter flow observations by SRTT bucket. Matches flows which SRTT bucket values are =, <, > (bucketed by powers of 2 (0, 2, 64, 1024)). |
Software Agent |
|
Fwd Packet Retransmissions (fwd_tcp_pkts_retransmitted) |
Filter flow observations by Packet Retransmissions bucket. Matches flows which Packet Retransmissions bucket values are =, <, > (bucketed by powers of 2 (0, 2, 64, 1024)). |
Software Agent |
|
Rev Packet Retransmissions (rev_tcp_pkts_retransmitted) |
Filter flow observations by Packet Retransmissions bucket. Matches flows which Packet Retransmissions bucket values are =, <, > (bucketed by powers of 2 (0, 2, 64, 1024)). |
Software Agent |
|
User Labels (* or user_ prefix) |
User-defined data that is associated to the manually uploaded custom labels that are prefixed with * in the UI and user_ in OpenAPI. |
CMDB |
|
TLS Version |
SSL protocol version used in the flow. |
Software Agent |
|
TLS Cipher |
Algorithm type used by the SSL protocol in the flow. |
Software Agent |
|
Consumer Agent Type |
Specify the consumer agent type. |
Internal |
|
Provider Agent Type |
Specify the provider agent type. |
Internal |
|
Consumer Resource Type |
Represents the flow of resources from a source to a consumer. It can be either workload, pods, services, or others |
Internal |
|
Provider Resource Type |
Represents the flow of resources from a provider to a consumer. . It can be either workload, pods, services, or others. |
Internal |
|
Because flow data is labeled with User Labels only at ingestion time, User Labels will not appear immediately after enabling them. It may take a few minutes before the labels start appearing in Flow Search. Also, the available User Labels will be different depending on which part of the Corpus Selector you have selected, since the enabled Labels might have been changed at various times. |