CH logo® Knowledge Base
Contents Search
 
 

 

Dimensions Reference

The dimensions that you can group by and filter by are based in part on actual or virtual columns in the KDE (see KDE Tables). These dimensions are listed in the following topics, which correspond to the categories by which the dimensions are shown in the Dimension Selector Dialog (part of the ad hoc filter controls in the Filtering Options dialog):

Notes:
- Except where noted, the dimensions listed in the tables below are available for both filtering and group-by.
- The value type refers to the data type (text, integer, etc.) of the dimension value.
- The column type refers to whether the dimension is literally stored in KDE (native) or derived at query-time from other KDE-stored information (virtual); see KDE Query Efficiency.
- The KDE name(s) given below, which represent the KDE column(s) corresponding to each dimension, may be used in API queries made with the Query SQL Method.
- Some columns are native (actually stored in the backend) while others are virtual (derived from other information). In general, filtering with dimensions based on native columns will return results faster than filtering with dimensions based on virtual columns.

 

 
 top

Network and Traffic Topology

These dimensions are used to filter or group-by on information related to devices including interface names and descriptions, port IDs, etc.

Dimension
name (portal)
Description Type:
value
column
Direction
KDE name(s)
Device Info dimensions (see About Devices)
Device ID Kentik-assigned unique numerical ID of the device (see Device General Settings). text
Virtual
Non-directional:
i_device_id
Device Name User-defined name for the device (see Device General Settings). text
Virtual
Non-directional:
i_device_name
Device Type Type of device: router, host, etc. (see Supported Device Types).
Note: Used only for selection (filtering with WHERE clause), not for display or GROUP_BY.
text
Virtual
Non-directional:
i_device_type
Site Name of the site to which the device has been assigned (see About Sites). If the device hasn’t been assigned to a site, returns an empty string.
Notes:
- Supported operators for WHERE clause: case-insensitive equality, LIKE, IN, and regex matching.
- Site assignments in the table may lag Admin settings by up to 10 minutes.
text
Virtual
Non-directional:
i_device_site_name
Device Labels A label assigned to a collection of devices (see About Device Labels). text
Virtual
Non-directional:
i_device_label
Interface Info dimensions (see About Interfaces)
Interface ID ID of the receiving/sending host or router interface (see Interface Field Definitions). integer
Native
Src/Dst:
input_port,
output_port
Interface Name The vendor-defined name (e.g. “GigabitEthernet0/1”) of the device interface (physical or logical) through which flow ingressed/egressed (see Interface Field Definitions). text
Virtual
Src/Dst:
i_input_interface_description,
i_output_interface_description
Interface Description A user-provided description (e.g. “Connected to upstream ISP”) of the device interface (physical or logical) through which flow ingressed/egressed (see Interface Field Definitions). text
Virtual
Src/Dst:
i_input_snmp_alias,
i_output_snmp_alias
Interface Capacity The speed of the device interface through which flow ingressed/egressed (see Interface Field Definitions). bigint
Virtual
Src/Dst:
i_input_interface_speed,
i_output_interface_speed
Interface Classification dimensions (see Interface Classification)
Connectivity Type The connectivity type, such as transit, IX peering, etc., of the source/destination interface of this flow (see Connectivity Type Attribute). text
Virtual
Src/Dst:
i_src_connect_type_name,
i_dst_connect_type_name
Network Boundary The network boundary value (internal or external) of the source/destination interface of this flow (see Network Boundary Attribute). text
Virtual
Src/Dst:
i_src_network_bndry_name,
i_dst_network_bndry_name
Provider A string representing the provider via which source/destination traffic over a given interface reaches the Internet (see About Provider Classification). text
Virtual
Src/Dst:
i_src_provider_classification
i_dst_provider_classification
Network Classification dimensions (see Network Classification)
Traffic Orig/Term Indicates the location (inside or outside) of the source/destination of the flow (see Network Classification Dimensions). text
Virtual
Src/Dst:
i_trf_origination,
i_trf_termination
Host Direction If flow record is from host, indicates whether the direction of traffic is into or out of that host (see Network Classification Dimensions). text
Virtual
Non-directional:
i_host_direction
Traffic Profile The origination and termination of the flow (see Network Classification Dimensions). text
Virtual
Non-directional:
i_trf_profle
Ultimate Exit dimensions (see Using Ultimate Exit)
Ultimate Exit Interface ID Number of port through which the flow leaves (see Network Classification Dimensions). bigint
Native
Non-directional:
ult_exit_port
Ultimate Exit Interface Name The SNMP description (portal name) of the interface through which the flow leaves (see Network Classification Dimensions). text
Virtual
Non-directional:
i_ult_exit_interface_description
Ultimate Exit Interface Description The SNMP alias (portal description) of the interface through which the flow leaves (see Network Classification Dimensions). text
Virtual
Non-directional:
i_ult_exit_snmp_alias
Ultimate Exit Connectivity Type The connectivity type value of the interface through which traffic left the network for another AS (see Network Classification Dimensions). text
Virtual
Non-directional:
i_ult_exit_connect_type_name
Ultimate Exit Network Boundary The network boundary value of the interface through which traffic left the network for another AS (see Network Classification Dimensions). text
Virtual
Non-directional:
i_ult_exit_network_bndry_name
Ultimate Exit Provider A string representing the ultimate exit provider (see Why Ultimate Exit). text
Virtual
Non-directional:
i_ult_provider_classifcation
Ultimate Exit Site The name of the site through which the flow leaves (see Why Ultimate Exit). text
Virtual
Non-directional:
i_ult_exit_site
Ultimate Exit Device The name of the device through which the flow leaves (see Why Ultimate Exit). text
Virtual
Non-directional:
i_ult_exit_device_name
LAN dimensions
VLAN ID of receiving/sending VLAN. integer
Native
Src/Dst:
vlan_in,
vlan_out
MAC Address Ethernet (L2) address of source/destination. Usage described in MAC Address Columns. text
Native
Src/Dst:
src_eth_mac,
dst_eth_mac

Notes:
- In the Group-by selector, Device Name is represented as the Device dimension.
- In the Group-by selector, Interface Name and Description are represented by the Interface dimension.
- In the Group-by selector, Traffic Orig/Term is represented as two separate dimensions, Traffic Origination and Traffic Termination.
- In the Group-by selector, Ultimate Exit Interface Name and Description are represented by the Ultimate Exit Interface dimension.

 

 
 top

IP and BGP Routing

These dimensions are used to filter or group-by on IP addresses (Ipv4 or Ipv6), protocol (e.g. TCP or UDP), TCP flags, and ToS, as well as routing information including source and destination AS, AS path, AS names, community, prefixes, and hops.

Dimension
name (portal)
Description Type:
value
column
Direction
KDE name(s)
IP Info dimensions
IP/CIDR The source/destination IP address, either IPv4 or IPv6, of the flow. text
Native
Src/Dst:
inet_src_addr
inet_dst_addr
Protocol The number of the protocol. See https://en.wikipedia.org/wiki/List_of_IP_protocol_numbers integer
Native
Non-directional:
protocol
Protocol Name The name of the protocol followed by the corresponding protocol number in parentheses, e.g. TCP (6). In SQL, supports case-insensitive equality and IN matching. text
Virtual
Non-directional:
i_protocol_name
Port Number Layer 4 source/destination port (e.g. 80, 443). integer
Virtual
Src/Dst:
l4_src_port
l4_dst_port
INET Family The address family of the flow, either 4 (IPv4) or 6 (IPv6). integer
Native
Non-directional:
inet_family
DSCP A DSCP (differentiated services code point) value from the DS field in a packet’s IP header, which classifies the packet’s contents to enable differentiated QoS. integer
Native
Non-directional:
dscp
TOS/Diffserv An 8-bit value, typically made up of a six-bit Differentiated Services Code Point (DSCP) field and a two-bit Explicit Congestion Notification (ECN) field. integer
Native
Non-directional:
tos
TCP dimensions (see Host Traffic Metrics)
TCP Retransmits Packets re-sent from source to destination.
Note: Valid only with a reliable transport protocol such as TCP.
bigint
Native
Non-directional:
retransmitted_out_pkts
Repeated TCP Retransmits Number of times a given packet was retransmitted 3 or more times. bigint
Native
Non-directional:
repeated_retransmits
TCP Receive Window Size of TCP receive window. bigint
Native
Non-directional:
receive_window
TCP Zero Windows Count of TCP receive windows with value of zero (indicating full buffer). bigint
Native
Non-directional:
zero_windows
TCP Client Latency (ms) One-way network latency as measured from the client perspective. bigint
Native
Non-directional:
client_nw_latency_ms
TCP Server Latency (ms) One-way network latency as measured from the server perspective. bigint
Native
Non-directional:
server_nw_latency_ms
BGP dimensions (see About Kentik BGP)
Route Prefix The BGP table prefix, either IPv4 or IPv6, that contains the source/destination IP of the flow. text
Native
Src/Dst:
inet_src_route_prefix
inet_dst_route_prefix
Route LEN The BGP prefix length for the source/destination IP of the flow. integer
Native
Src/Dst:
src_route_length
dst_route_length
AS Number The origin ASN associated with the source/destination IP of the flow. bigint
Native
Src/Dst:
src_as
dst_as
AS Name The name associated with AS Number. text
Virtual
Src/Dst:
i_src_as_name
i_dst_as_name
AS Group A label assigned to a collection of ASes (see About AS Groups). text
Virtual
Src/Dst:
kt_src_as_group
kt_dst_as_group
Next Hop IP/CIDR The BGP next-hop IP address, either IPv4 or IPv6, for the source/destination IP of the flow (see About BGP). text
Native
Src/Dst:
inet_src_next_hop
inet_dst_next_hop
Next Hop AS Number The ASN in the first position of the AS_PATH for the source IP of the flow (see About BGP). integer
Native
Src/Dst:
src_nexthop_as
dst_nexthop_as
Next Hop AS Name Name of Next Hop AS Number text
Virtual
Src/Dst:
i_src_nexthop_as_name
i_dst_nexthop_as_name
2nd Hop AS Number The ASN in the second position of the AS_PATH for the source/destination IP of the flow (see About BGP). integer
Native
Src/Dst:
src_second_asn
dst_second_asn
2nd Hop AS Name Name of 2nd Hop AS Number. text
Virtual
Src/Dst:
i_src_second_asn_name
i_dst_second_asn_name
3rd Hop AS Number The ASN in the third position of the AS_PATH for the source/destination IP of the flow (see About BGP). integer
Native
Src/Dst:
src_third_asn
dst_third_asn
3rd Hop AS Name Name of 3rd Hop AS Number. text
Virtual
Src/Dst:
i_src_third_asn_name
i_dst_third_asn_name
AS Path The BGP ASPATH for the flow’s source/destination IP (see About BGP). text
Native
Src/Dst:
src_bgp_aspath
dst_bgp_aspath
BGP Community The set of BGP communities associated with the flow’s source/destination IP (see About BGP). text
Native
Src/Dst:
src_bgp_community
dst_bgp_community
RPKI Validation Status The RPKI (Resource Public Key Infrastructure; see https://rpki.readthedocs.io/en/latest/) status of a prefix in a BGP-advertised route, which indicates whether the route would be used or dropped if the router were configured to enforce strict route validation. text
Virtual
Dst:
i_dst_rpki_name
RPKI Quick Status Provides a simplified view of RPKI status, enabling easier determination of the action to take on the prefix. text
Virtual
Dst:
i_dst_rpki_min_name
VRF dimensions
VRF Name The locally significant name of the VRF via which this flow was routed (input or output).
Note: VRF names may vary in different contexts.
text
Virtual
Src/Dst:
i_input_vrf
i_output_vrf
VRF Route Distinguisher Uniquely identifies the VRF via which this flow was routed (input or output). text
Virtual
Src/Dst:
i_input_vrf_rd
i_output_vrf_rd
VRF Route Target Uniquely identifies a shared route (used by multiple VRFs) via which this flow was routed (input or output). text
Virtual
Src/Dst:
i_input_vrf_rt
i_output_vrf_rt
VRF Extended Route Distinguisher An encoding of the VRF route distinguisher (for Kentik internal use only). integer
Native
Src/Dst:
input_vrf
output_vrf

 

 
 top

Cloud Dimensions

The dimensions used to filter or group-by on fields in VPN flow logs from cloud providers are covered in the following topics:

 

 
 top  |  section

General Cloud Dimensions

These dimensions are applicable to all cloud providers.

Dimension
name (portal)
Description Type:
value
column
Direction
KDE name(s)
Cloud Provider The provider of cloud-based VPCs. text
Virtual
Non-directional:
kt_cloud_provider

 

 
 top  |  section

AWS Dimensions

These dimensions represent data in flow logs from resources in Amazon Web Services (see Kentik for AWS).

Dimension
name (portal)
Description Type:
value
column
Direction
KDE name(s)
Account Source/destination AWS account. integer
Virtual
Src/Dst:
kt_aws_src_acc_id,
kt_aws_dst_acc_id
Instance Name Source/destination AWS instance name. text
Virtual
Src/Dst:
kt_aws_src_vm_name,
kt_aws_dst_vm_name
Instance Source/destination AWS instance text
Virtual
Src/Dst:
kt_aws_src_vm_id,
kt_aws_dst_vm_id
Region Source/destination AWS Region. text
Virtual
Src/Dst:
kt_aws_src_region,
kt_aws_dst_region
Zone Source/destination AWS Availability Zone. text
Virtual
Src/Dst:
kt_aws_src_zone,
kt_aws_dst_zone
Instance Type Source/destination AWS Instance Type. text
Virtual
Src/Dst:
kt_aws_src_vm_type,
kt_aws_dst_vm_type
Image ID Source/destination AWS Image ID. text
Virtual
Src/Dst:
kt_aws_src_image_id,
kt_aws_dst_image_id
Security Group Source/destination security group. text
Virtual
Src/Dst:
kt_aws_src_sg,
kt_aws_dst_sg
Auto Scaling Group Source/destination auto scaling group. text
Virtual
Src/Dst:
kt_aws_src_asg,
kt_aws_dst_asg
Public DNS Name Source/destination public DNS name. text
Virtual
Src/Dst:
kt_aws_src_pub_dns,
kt_aws_dst_pub_dns
Private DNS Name Source/destination private DNS name. text
Virtual
Src/Dst:
kt_aws_src_priv_dns,
kt_aws_dst_priv_dns
VPC ID Source/destination VPC ID. text
Virtual
Src/Dst:
kt_aws_src_vpc_id,
kt_aws_dst_vpc_id
Subnet ID Source/destination subnet ID. text
Virtual
Src/Dst:
kt_aws_src_subnet_id,
kt_aws_dst_subnet_id
Instance Tags Tags applied to VMs by users. text
Virtual
Src/Dst:
kt_aws_src_vm_tags,
kt_aws_dst_vm_tags
Interface ID The ID of the network interface for which the traffic is recorded. text
Virtual
Non-directional:
kt_aws_interface_id
Firewall Action The action associated with the traffic:
- ACCEPT: The recorded traffic was permitted by the security groups or network ACLs.
- REJECT: The recorded traffic was not permitted by the security groups or network ACLs.
text
Virtual
Non-directional:
kt_aws_action
Logging Status The logging status of the flow log:
- OK: Data is logging normally to the chosen destinations.
- NODATA: There was no network traffic to or from the network interface during the capture window.
- SKIPDATA: Some flow log records were skipped during the capture window. This may be because of an internal capacity constraint, or an internal error.
text
Virtual
Non-directional:
kt_aws_status

 

 
 top  |  section

GCP Dimensions

These dimensions represent data in flow logs from resources in Google Cloud Platform (see Kentik for GCP).

Dimension
name (portal)
Description Type:
value
column
Direction
KDE name(s)
Project ID Source GCE Project ID. text
Virtual
Src/Dst:
kt_gce_src_proj_id,
kt_gce_dst_proj_id
VM Name Source VM Name. text
Virtual
Src/Dst:
kt_gce_src_vm_name,
kt_gce_dst_vm_name
Region Source VM Name. text
Virtual
Src/Dst:
kt_gce_src_region,
kt_gce_dst_region
Zone Source VM Name. text
Virtual
Src/Dst:
kt_gce_src_zone,
kt_gce_dst_zone
Subnet Name Source GCE Subnet Name. text
Virtual
Src/Dst:
kt_gce_src_vpc_snn,
kt_gce_dst_vpc_snn
VM Type Source VM type. text
Virtual
Src/Dst:
kt_gce_src_vm_type,
kt_gce_dst_vm_type
Image ID Source image ID. text
Virtual
Src/Dst:
kt_gce_src_vm_image,
kt_gce_dst_vm_image
Instance Group ID or Name Src instance group ID or name. text
Virtual
Src/Dst:
kt_gce_src_vm_group,
kt_gce_dst_vm_group
Reporter Indicates where the flow was collected/reported:
- By the source VM/instance if value is SRC;
- By the destination VM/instance if value is DEST.
text
Virtual
Non-directional:
kt_gce_reporter

 

 
 top  |  section

Azure Dimensions

These dimensions represent data in flow logs from resources in Microsoft Azure (see Kentik for Azure).

Dimension
name (portal)
Description Type:
value
column
Direction
KDE name(s)
Instance Name The name of the Azure instance (VM) that generated the flow log. string
Native
Src/Dst:
kt_az_src_inst_name,
kt_az_dst_inst_name
Instance The raw ID of the log-generating instance, which is useful for programmatic management of compute resources. string
Native
Src/Dst:
kt_az_src_inst_id,
kt_az_dst_inst_id
Region The geographical region of the Azure instance, which corresponds to a specific set of Azure data centers in which the instance may run. string
Native
Src/Dst:
kt_az_src_region,
kt_az_dst_region
Zone The High Availability Zone where the instance is currently deployed, which corresponds to a specific data center within a region. integer
Native
Src/Dst:
kt_az_src_zone,
kt_az_dst_zone
Instance Type The kind of instance-generated flow logs, which may be Azure-provided or custom-built. These values do not folllow a standard naming nomenclature. string
Native
Src/Dst:
kt_az_src_inst_type,
kt_az_dst_inst_type
Public DNS Name The publically resolvable DNS name for an instance. string
Native
Src/Dst:
kt_az_src_fqdn,
kt_az_dst_fqdn
VNet ID An identifier for the virtual network object in which an instance resides. A virtual network is a collection of subnets within a given region. string
Native
Src/Dst:
kt_az_src_vnet,
kt_az_dst_vnet
Subnet Name The name of a subnet resource assigned to a virtual network. string
Native
Src/Dst:
kt_az_src_subnet,
kt_az_dst_subnet
Resource Group A set of related technical resources (disk, storage, VMs, APIs, services, etc.) that can be accessed as a group for bulk operations. string
Native
Src/Dst:
kt_az_src_resource_group,
kt_az_dst_resource_group
Public IP Address The public IP address assigned to an Azure instance. Public IP addresses are not assigned by default. string
Native
Src/Dst:
kt_az_src_public_ip,
kt_az_dst_public_ip
Subscription A top-level administrative object representing a set of resources that will be billed together in a monthly cycle. All Azure resources are tied to a subscription, which may contain multiple resource groups. string
Native
Src/Dst:
kt_az_src_sub_id,
kt_az_dst_sub_id
Security Rule The name of the security rule by which this flow was allowed or denied as it passed through a security group (see below) on its way to or from an Azure instance. string
Native
Src/Dst:
ktsubtype__azure_subnet__STR01,
ktsubtype__azure_subnet__STR00
Firewall Action The actions (allow or deny) taken on this flow by the security rules by which it was evaluated on the way to or from an Azure instance. string
Native
Src/Dst:
ktsubtype__azure_subnet__STR03,
ktsubtype__azure_subnet__STR02
Security Group A collection of enforced security policies (each a collection of rules) at the edge of a virtual network and/or applied to a network interface attached to an instance. Traffic to an instance from the internet must pass through at least one security group at the edge of the virtual network and may also pass through an additional security group attached to the interface of an instance. string
Native
Src/Dst:
kt_az_src_nsg_name,
kt_az_dst_nsg_name

 

 
 top

Geolocation Dimensions

These dimensions are used to filter or group-by on flow properties related to physical location.

Dimension
name (portal)
Description Type:
value
column
Direction
KDE name(s)
Custom Geo A collection of countries that have been assigned a common geographical label (see About Custom Geo). text
Native
Src/Dst:
kt_src_market,
kt_dst_market
Country Two-letter country code associated with the source/destination IP of the flow. text
Native
Src/Dst:
src_geo,
dst_geo
Region Full-text English name of the region (state or province, e.g. “California”) associated with the source IP of the flow. text
Native
Src/Dst:
src_geo_region,
dst_geo_region
City Full-text English name of the city (e.g. “San Francisco”) associated with the source IP of the flow. text
Native
Src/Dst:
src_geo_city,
dst_geo_city
Site Country A country in which your organization has sites; enables the grouping, with a single dimension, of traffic from all sites in a given country. text
Virtual
Non-directional:
i_device_site_country
Ultimate Exit Site Country The name of the country containing the site through which flow leaves. text
Virtual
Non-directional:
i_ult_exit_site_country

 

 
 top

Application Context and Security

These dimensions are used to filter or group-by based on various factors related to context — whether a flow originated or terminated with a commercial CDN, for example, or what “service” (port and protocol) it represents — as well as whether the value of certain flow fields match those of known security threats.

Dimension
name (portal)
Description Type:
value
column
Direction
KDE name(s)
CDN Commercial CDN (if any) with which the flow originated/terminated (see CDN Attribution Dimensions).
Note: This dimension is available only for organizations with CDN Attribution enabled.
text
Native
Src/Dst:
src_cdn,
dst_cdn
Service (Port + Proto) The combination of the port and protocol of the source/destination flow.
Note: This dimension is available only for group-by. For filtering, use Port Number and Protocol.
text
Virtual
Src/Dst:
N.A.
Bot Net CC A source/destination IP for the flow that has been identified as a botnet command and control (CC) servers (see Threat Feed Dimensions). text
Native
Src/Dst:
src_threat_bnetcc,
dst_threat_bnetcc
Threat List Host A source/destination IP for the flow that has been identified as a threat (see Threat Feed Dimensions). text
Native
Src/Dst:
src_threat_host,
dst_threat_host
Application An identifying string for the application associated with a flow, which is either derived by evaluating flow data or provided in the flow data itself (see About Applications). text
Native
Non-directional:
application
TCP Flags TCP flags that were set on the flow using a flow mask (TCP Flag Filtering). integer
Native
Non-directional:
tcp_flags
OTT Service An individual OTT content service whose hostname is looked up via DNS. text
Native
Non-directional:
ott_service
OTT Service Type The nature of the content provided by an OTT content service. Values include Adult, Ads, Antivirus, Audio, Cloud, Conferencing, Dating, Developer Tools, Documents, Ecommerce, File Sharing, Gaming, IoT, Mail, Maps, Media, Messaging, Network, Newsgroups, Photo Sharing, Social, Software Download, Software Updates, Storage, Video, VPN, Web. text
Virtual
Non-directional:
N.A.
OTT Service Provider An entity that offers an OTT content service. For example Google is the provider for Google Drive, GMail, Google Maps, etc. text
Virtual
Non-directional:
N.A.

 

 
 top

Application Decodes

These dimensions are used to filter or group-by based on HTTP and DNS-related fields with which Kentik has enriched the original flow records.

Dimension
name (portal)
Description Type:
value
column
Direction
KDE name(s)
DNS dimensions (see Host Traffic Dimensions)
DNS Query Query from a DNS resolver to a DNS name server. text
Native
Src/Dst:
kflow_dns_query,
N.A.
DNS Query Type The resource record type requested by the DNS query. bigint
Native
Src/Dst:
kflow_dns_query_type,
N.A.
DNS Return Code DNS return code (see https://www.iana.org/assignments/dns-parameters/dns-parameters.xhtml#dns-parameters-6). bigint
Native
Src/Dst:
kflow_dns_ret_code,
N.A.
DNS Response The response from a DNS server to a DNS query. text
Native
Src/Dst:
kflow_dns_response,
N.A.
HTTP dimensions (see Host Traffic Dimensions)
HTTP URL Filename portion of path, with query string (if any). text
Native
Src/Dst:
N.A.,
kflow_http_url
HTTP Host Header Domain name of the server. text
Native
Src/Dst:
N.A.,
kflow_http_host
HTTP Return Code HTTP status code. bigint
Native
Src/Dst:
N.A.,
kflow_http_status
HTTP Referrer The address from which a destination webpage is requested. text
Native
Src/Dst:
N.A.,
kflow_http_referer
HTTP User Agent User agent information identifying the client that submitted a request. text
Native
Src/Dst:
N.A.,
kflow_http_ua
Application dimensions (see Host Traffic Metrics)
Connection ID TCP connection ID. bigint
Native
Non-directional:
connection_id
Application Latency (ms) One-way network latency derived by examining request/response pairs at the application layer. bigint
Native
Non-directional:
appl_latency_ms
First Payload Exchange Latency (ms) Elapsed time from first packet sent to first packet returned. bigint
Native
Non-directional:
fpex_latency_ms

Note: The above dimensions require Kentik’s kprobe software host agent (see Host Configuration).

 

 
 top

Per-flow Metrics

These dimensions are used to filter or group-by based on stats related to the bytes and packets of the flow.

Dimension
name (portal)
Description Type:
value
column
Direction
KDE name(s)
Bytes (recorded inbound) Number of bytes (not bits!) received on source/ingress interface for flow. bigint
Native
Src/Dst:
in_bytes,
N.A.
Packets (recorded inbound) Number of packets received on source/ingress interface for flow. bigint
Native
Src/Dst:
in_pkts,
N.A.
Bytes (recorded outbound) Number of bytes sent through the egress interface for this flow (typically host only; routers should only record bytes on ingress interface). bigint
Native
Src/Dst:
N.A.,
out_bytes
Packets (recorded outbound) Number of packets sent through the egress interface for this flow (typically host only). bigint
Native
Src/Dst:
N.A.,
out_pkts
Packet Size Packet size of flow (bytes/packet). integer
Native
Non-directional:
sampledpktsize
Packet Size (nearest 100) Packet size of flow (bytes/packets) rounded down to the nearest multiple of 100. integer
Native
Non-directional:
sampledpktsize_100
Sampling Rate * 100 The rate at which traffic was sampled when flow was collected (see Flow Sampling). integer
Native
Non-directional:
sample_rate

 

 
 top

Synthetic Measurement Dimensions

When kproxy is used for synthetic measurement (see kproxy Synthetic Measurement) it generates both dimensions and metrics, which are stored in or derived from UDR columns (see Universal Data Records) rather than standard KDE columns. The following table shows the dimensions from synthetic measurement that may be used for filtering or group-by in queries:

Dimension
name (portal)
Description Type:
value
column
Direction
Connection Name Destination identifier string
UDR
Non-directional
Connection Type One of the following integers, which each represent a type of connection:
1: Traffic from client to server;
2: Traffic from server to client;
3: Traceroute traffic.
int
UDR
Non-directional
ICMP Hop Name Fully qualified domain name of the hop (or IP address if lookup isn’t possible). string
UDR
Non-directional
ICMP This Hop A number referring to an individual hop. int
UDR
Non-directional
ICMP This Try The number of the try for this hop. Each hop is tried 3 times. int
UDR
Non-directional
ICMP Total Hops In a given ICMP Try, the number of hops it took to get to the destination. int
UDR
Non-directional

Note: For metrics related to synthetic measurement, see Synthetic Measurement Metrics.

 

 
 top

Device-specific Dimensions

Device-specific dimensions are covered in the following topics:

 

 
 top  |  section

About Device-specific Dimensions

Device-specific dimensions originate as flow records that are specific to given types of devices, whether physical or virtual, such as Kubernetes containers, Istio mesh, Palo Alto Networks firewalls, or Cisco ASA appliances. These records are ingested into Kentik Detect as Universal Data Records (UDR), allowing flexible allocation of flow fields to the columns of the Kentik Data Engine. The resulting dimensions are used for filter or group-by like any other fields in Kentik-ingested flow records.

Notes:
- Kentik Detect also stores and uses certain Device-specific Metrics.
- UDR dimensions have no persistent KDE columns.

 

 
 top  |  section

Cisco ASA Dimensions

These dimensions are used to filter or group-by on fields in flow records from Cisco Adaptive Security Appliances (ASA), which run Cisco ASA software to deliver enterprise-class firewall capabilities in a variety of form factors including standalone appliances, blades, and virtual appliances. For more context on these dimensions, see the Cisco document ASA NetFlow Implementation Guide.

Dimension
name (portal)
Description Type:
value
column
Direction
Post-NAT Transport Port The source/destination port identifier in the transport header, as modified by the firewall during network address port translation after the packet traversed the interface. integer
Virtual
Src/Dst
Post-NAT Address The IPv4 source/destination address in the IP packet header, as modified by the firewall during network address translation after the packet traversed the interface. text
Virtual
Src/Dst
Flow ID An identifier of a flow that is unique within an observation domain. You can use this information element to distinguish between different flows if flow keys such as IP addresses and port numbers are not reported or are reported in separate records. The flowID corresponds to the session ID field in Traffic and Threat logs. integer
Virtual
Non-directional
Firewall Event Indicates a firewall event:
- 0 = Ignore (invalid)—Not used.
- 1 = Flow created—The NetFlow data record is for a new flow.
- 2 = Flow deleted—The NetFlow data record is for the end of a flow.
- 3 = Flow denied—The NetFlow data record indicates a flow that firewall policy denied.
- 4 = Flow alert—Not used.
- 5 = Flow update—The NetFlow data record is sent for a long-lasting flow, which is a flow that lasts longer than the Active Timeout period configured in the NetFlow server profile.
integer
Virtual
Non-directional
Extended Event Code Provides additional information about an event:
1001 = the flow was denied by an ingress ACL.
1002 = the flow was denied by an egress ACL.
1003 = the flow was denied because connection to ASA interface was denied, an ICMP packet (v4 or v6) was denied, or for an unspecified reason.
1004 = the flow denied because the first packet on the TCP was not a TCP SYN packet.
2001 or greater = the flow was terminated.
integer
Virtual
Non-directional
AAA Username The username associated with the ASA instance that generated the flow. text
Virtual
Non-directional
Ingress ACL The ID of the ACL that was applied on the input interface and either permitted or denied the flow. text
Virtual
Non-directional
Egress ACL The ID of the ACL that was applied on the output interface and either permitted or denied the flow. text
Virtual
Non-directional

Note: See also Cisco ASA Metrics.

 

 
 top  |  section

Cisco ASA Syslog Dimensions

These dimensions are used to filter or group-by on KDE fields whose values are extracted at ingest from syslog messages generated by Cisco Adaptive Security Appliances (ASA); see About ASA Syslog Messages. Syslog data may provide additional details that supplement the data available in Cisco ASA NetFlow (see Cisco ASA Dimensions).

Dimension
name (portal)
Description Type:
value
column
Direction
Flow ID An identifier of a flow that is unique within an observation domain. You can use this information element to distinguish between different flows if flow keys such as IP addresses and port numbers are not reported or are reported in separate records. Flow ID corresponds to the session ID field in Traffic and Threat logs. integer
Native
Non-directional
Message A Cisco ASA Series syslog message. Messages are listed by message ID in Cisco ASA Series Syslog Messages. string
Native
Non-directional
Severity The severity level of the message, which varies depending on the cause (see Messages Listed by Severity Level). integer
Native
Non-directional
Message ID The Cisco-assigned ID for the message. integer
Native
Non-directional

 

 
 top  |  section

IOS XR Dimensions

These dimensions are used to filter or group-by on fields in flow records from Cisco products running the IOS XR operating system. These fields contain IPFIX “entity” values as described in IPFIX Information Elements. For additional information, see the Cisco document Configure NetFlow on IOS XR.

Dimension
name (portal)
Description Type:
value
column
Direction
Dest ToS Entity 55: The IPFIX postIpClassOfService value, which is the post-observation value of ToS (Type of Service) field (IPv4) or Traffic Class field (IPv6) in the packet header. integer
Native
Dst only
Minimum TTL Entity 52: The minimum value observed for the TTL (time to live) field in the IP header of any packet in this flow. integer
Native
Non-directional
Maximum TTL Entity 55: The maximum value observed for the TTL (time to live) field in the IP header of any packet in this flow. integer
Native
Non-directional
Forwarding Status Entity 89: The two-bit forwarding status of the flow and associated six-bit reason code or flag. integer
Native
Non-directional

 

 
 top  |  section

Istio Dimensions

These dimensions are used to filter or group-by on KDE fields related to telemetry metrics from Istio, which is an open source insight and control layer that enables you to secure, connect, and monitor the applications that make up a distributed microservices architecture for hybrid and multi-cloud deployments. For an overview of Istio telemetry, see the Istio document Policies and Telemetry.

Dimension
name (portal)
Description Type:
value
column
Direction
Name Workload instance name. text
Virtual
Src/Dst
Namespace Workload instance namespace. text
Virtual
Src/Dst
Workload Name Workload name. text
Virtual
Src/Dst
Workload Namespace Workload namespace. text
Virtual
Src/Dst
Container Name Name of the destination workload instance’s container. text
Virtual
Dst only
Service Host Destination host address. text
Virtual
Dst only
Service Name Destination service name. text
Virtual
Dst only
Service Namespace Destination service namespace. text
Virtual
Dst only
Request Path The HTTP URL path including query string. text
Virtual
Non-directional
Request Method The HTTP method. text
Virtual
Non-directional
Request User Agent The HTTP User-Agent header. text
Virtual
Non-directional
Response Code The HTTP status code in the response. integer
Virtual
Non-directional

Note: See also Istio Metrics.

 

 
 top  |  section

Juniper PFE Syslog Dimensions

These dimensions represent event-triggered syslog messages from a Juniper switch equipped with a Packet Forwarding Engine (see the Juniper article Informal Guide to Packet Forwarding). If a given switch has multiple PFEs their messages are grouped as if they were from a single PFE. In addition to the dimensions below, the remaining portion of the syslog message may contain information (e.g. MAC address, protocol, IP addresses, and bytes) that is accessible via KDE dimensions that aren’t device-specific.

Dimension
name (portal)
Description Type:
value
column
Direction
Message The first 64 chars of the PFE syslog message. string
Native
Non-directional
Subtype The subtype of the message, e.g. “FW” for firewall. string
Native
Non-directional
Interface The device interface on which the event occurred. string
Native
Non-directional
Event The nature of the event, e.g. “D” for dropped packets. string
Native
Non-directional

 

 
 top  |  section

Kubernetes Dimensions

These dimensions represent information, gathered by Kentik at ingest, about the setup of a Kubernetes-managed container (see What is Kubernetes). These fields are stored in the KDE flow records of traffic from the container.

Dimension
name (portal)
Description Type:
value
column
Direction
Pod Name The name of a pod, which represents a set of running containers on your cluster. string Src/Dst
Pod Namespace The scope within which the pod name is valid and unique. string Src/Dst
Workload Name The name of a workload, which is a system of services or applications that can run to fulfill a task or carry out a business process. string Src/Dst
Workload Namespace The scope within which the workload name is valid and unique. string Src/Dst
Container Name The name of an executable image that contains software and all of its dependencies. string Dst only

 

 
 top  |  section

Palo Alto Networks Firewall

These dimensions are used to filter or group-by on fields in flow records from Palo Alto Networks firewalls. In addition to the port, IP address, and type of packets, the data identifies the application and includes firewall event information. For more context on these dimensions, see the Palo Alto Networks document NetFlow Templates.

Dimension
name (portal)
Description Type:
value
column
Direction
Post-NAT Transport Port The source/destination port identifier in the transport header, as modified by the firewall during network address port translation after the packet traversed the interface. integer
Virtual
Src/Dst
Post-NAT Address The IPv4 source/destination address in the IP packet header, as modified by the firewall during network address translation after the packet traversed the interface. text
Virtual
Src/Dst
ICMP Type Internet Control Message Protocol (ICMP) packet type. This is reported as: ICMP Type * 256 + ICMP code integer
Virtual
Non-directional
Flow ID An identifier of a flow that is unique within an observation domain. You can use this information element to distinguish between different flows if flow keys such as IP addresses and port numbers are not reported or are reported in separate records. The flowID corresponds to the session ID field in Traffic and Threat logs. integer
Virtual
Non-directional
Application ID The name of an application (up to 32 bytes). text
Virtual
Non-directional
User ID A username that User-ID identified. The name can be up to 64 bytes. text
Virtual
Non-directional
Firewall Event Indicates a firewall event:
- 0 = Ignore (invalid)—Not used.
- 1 = Flow created—The NetFlow data record is for a new flow.
- 2 = Flow deleted—The NetFlow data record is for the end of a flow.
- 3 = Flow denied—The NetFlow data record indicates a flow that firewall policy denied.
- 4 = Flow alert—Not used.
- 5 = Flow update—The NetFlow data record is sent for a long-lasting flow, which is a flow that lasts longer than the Active Timeout period configured in the NetFlow server profile.
integer
Virtual
Non-directional
Direction The direction of the flow:
- 0 = ingress
- 1 = egress
integer
Virtual
Non-directional

 

 
 top  |  section

Silver Peak Dimensions

This dimension is used to filter or group-by on flow records from Silver Peak appliances running VXOA software (version 8.1.8 or higher), which is described in this Silver Peak white paper. Silver Peak analyzes the actual packets as traffic flows through their appliances, identifies the applications (e.g. SaaS service) with which each packet is associated, and prioritizes routing by applying application-specific rules.

Dimension
name (portal)
Description Type:
value
column
Direction
Application name The name of an application as identified by a Silver Peak VXOA appliance. text
Virtual
Non-directional

 

 
 top  |  section

Cisco vEdge Dimensions

These dimensions are used to filter or group-by on IPFIX fields (see IPFIX Information Elements Exported to the Collector) in cflowd records from Cisco vEdge SD-WAN routers. For more information about these devices, refer to the Cisco document Cisco SD-WAN vEdge Routers Data Sheet.

Dimension
name (portal)
Description Type:
value
column
Direction
Maximum packet length Length of the largest packet observed for this flow. integer
Native
Non-directional
Minimum packet length Length of the smallest packet observed for this flow. integer
Native
Non-directional
VPN identifier VEdge VPN identifier. integer
Native
Non-directional
Field 4322 Reserved for internal use. integer
Native
Non-directional
Flow end reason Reason for the flow termination (see IANA IPFIX Entities). integer
Native
Non-directional
 

In this article: