Solved: What does the "cancelled" attribute donate when ca...

twigat · ‎07-29-2016

Hi Everyone,

I have a question regarding the fields returned by Splunk App for Stream. I've configured a number of TCP flow monitors and I see some flows have a "cancelled" attribute.

I couldn't find any documentation about what this field's purpose is, could this be that an RST was sent instead of a FIN|FIN/ACK for a TCP flow? Any other definitions I'm not considering?

vshcherbakov_sp · ‎07-29-2016

Hi,

You're correct - "cancelled" means that the flow was terminated with an RST.

As for where to get the documentation - if you go to the Configuration -> Configure Streams page inside the App for Stream UI and click on a stream, you'll see a list of fields you can enable/disable/etc. Each field there has a description column that provides some info about the field.

View solution in original post

vshcherbakov_sp · ‎07-29-2016

Hi,

You're correct - "cancelled" means that the flow was terminated with an RST.

As for where to get the documentation - if you go to the Configuration -> Configure Streams page inside the App for Stream UI and click on a stream, you'll see a list of fields you can enable/disable/etc. Each field there has a description column that provides some info about the field.

What does the "cancelled" attribute donate when capturing TCP flows using Stream App?

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms