Dimensions Reference

The dimensions that you can group by and filter by are based in part on actual or virtual columns in the KDE (see KDE Tables). These dimensions are listed in the following topics, which correspond to the categories by which the dimensions are shown in the Dimension Selector Dialog (part of the ad hoc filter controls in the Filtering Options dialog):

Notes:
- Except where noted, the dimensions listed in the tables below are available for both filtering and group-by.
- The value type refers to the data type (text, integer, etc.) of the dimension value.
- The column type refers to whether the dimension is literally stored in KDE (native) or derived at query-time from other KDE-stored information (virtual); see KDE Query Efficiency.
- The KDE name(s) given below, which represent the KDE column(s) corresponding to each dimension, may be used in API queries made with the Query SQL Method.
- Some columns are native (actually stored in the backend) while others are virtual (derived from other information). In general, filtering with dimensions based on native columns will return results faster than filtering with dimensions based on virtual columns.

 

 
 top

Network and Traffic Topology

This category of dimensions is used to filter or group-by on information related to devices including interface names and descriptions, port IDs, etc.

Notes:
- In the Group-by selector, Device Name is represented as the Device dimension.
- In the Group-by selector, Interface Name and Description are represented by the Interface dimension.
- In the Group-by selector, Traffic Orig/Term is represented as two separate dimensions, Traffic Origination and Traffic Termination.
- In the Group-by selector, Ultimate Exit Interface Name and Description are represented by the Ultimate Exit Interface dimension.

 

Device Info Dimensions

Dimensions related to devices (see About Devices):

Dimension
name (portal)
Description Type:
value
column
Direction
KDE name(s)
Device ID Kentik-assigned unique numerical ID of the device (see Device General Settings). string
Virtual
Non-directional:
i_device_id
Device Name User-defined name for the device (see Device General Settings). string
Virtual
Non-directional:
i_device_name
Device Type Type of device: router, host, etc. (see Supported Device Types).
Note: Used only for selection (filtering with WHERE clause), not for display or GROUP_BY.
string
Virtual
Non-directional:
i_device_type
Site Name of the site to which the device has been assigned (see About Sites). If the device hasn’t been assigned to a site, returns an empty string.
Notes:
- Supported operators for WHERE clause: case-insensitive equality, LIKE, IN, and regex matching.
- Site assignments in the table may lag Admin settings by up to 10 minutes.
string
Virtual
Non-directional:
i_device_site_name
Device Labels A label assigned to a collection of devices (see About Device Labels). string
Virtual
Non-directional:
i_device_label

 

Interface Info Dimensions

Dimensions related to interfaces (see About Interfaces):

Dimension
name (portal)
Description Type:
value
column
Direction
KDE name(s)
Interface ID ID of the receiving/sending host or router interface (see Interface Field Definitions). integer
Native
Src/Dst:
input_port,
output_port
Interface Name The Name (e.g. “GigabitEthernet0/1”) of the device interface (physical or logical) through which flow ingressed/egressed (see Interface Field Definitions). string
Virtual
Src/Dst:
i_input_interface_description,
i_output_interface_description
Interface Description The Description (e.g. “Connected to upstream ISP”) of the device interface (physical or logical) through which flow ingressed/egressed (see Interface Field Definitions). string
Virtual
Src/Dst:
i_input_snmp_alias,
i_output_snmp_alias
Interface Capacity The speed of the device interface through which flow ingressed/egressed (see Interface Field Definitions). bigint
Virtual
Src/Dst:
i_input_interface_speed,
i_output_interface_speed

 

Interface Classification Dimensions

Dimensions related to interface classification (see Interface Classification):

Dimension
name (portal)
Description Type:
value
column
Direction
KDE name(s)
Connectivity Type The connectivity type, such as transit, IX peering, etc., of the source/destination interface of this flow (see Connectivity Type Attribute). string
Virtual
Src/Dst:
i_src_connect_type_name,
i_dst_connect_type_name
Network Boundary The network boundary value (internal or external) of the source/destination interface of this flow (see Network Boundary Attribute). string
Virtual
Src/Dst:
i_src_network_bndry_name,
i_dst_network_bndry_name
Provider A string representing the provider via which source/destination traffic over a given interface reaches the Internet (see About Provider Classification). string
Virtual
Src/Dst:
i_src_provider_classification
i_dst_provider_classification

 

Network Classification Dimensions

Dimensions related to network classification (see Network Classification):

Dimension
name (portal)
Description Type:
value
column
Direction
KDE name(s)
Traffic Orig/Term Indicates the location (inside or outside) of the source/destination of the flow (see Network Classification Dimensions). string
Virtual
Src/Dst:
i_trf_origination,
i_trf_termination
Host Direction If flow record is from host, indicates whether the direction of traffic is into or out of that host (see Network Classification Dimensions). string
Virtual
Non-directional:
i_host_direction
Traffic Profile The origination and termination of the flow (see Network Classification Dimensions). string
Virtual
Non-directional:
i_trf_profle

 

Ultimate Exit Dimensions

Dimensions related to Ultimate Exit (see Using Ultimate Exit):

Dimension
name (portal)
Description Type:
value
column
Direction
KDE name(s)
Ultimate Exit Interface ID Number of port through which the flow leaves (see Network Classification Dimensions). bigint
Native
Non-directional:
ult_exit_port
Ultimate Exit Interface Name The SNMP description (portal name) of the interface through which the flow leaves (see Network Classification Dimensions). string
Virtual
Non-directional:
i_ult_exit_interface_description
Ultimate Exit Interface Description The SNMP alias (portal description) of the interface through which the flow leaves (see Network Classification Dimensions). string
Virtual
Non-directional:
i_ult_exit_snmp_alias
Ultimate Exit Connectivity Type The connectivity type value of the interface through which traffic left the network for another AS (see Network Classification Dimensions). string
Virtual
Non-directional:
i_ult_exit_connect_type_name
Ultimate Exit Network Boundary The network boundary value of the interface through which traffic left the network for another AS (see Network Classification Dimensions). string
Virtual
Non-directional:
i_ult_exit_network_bndry_name
Ultimate Exit Provider A string representing the ultimate exit provider (see Why Ultimate Exit). string
Virtual
Non-directional:
i_ult_provider_classifcation
Ultimate Exit Site The name of the site through which the flow leaves (see Why Ultimate Exit). string
Virtual
Non-directional:
i_ult_exit_site
Ultimate Exit Device The name of the device through which the flow leaves (see Why Ultimate Exit). string
Virtual
Non-directional:
i_ult_exit_device_name

 

LAN Dimensions

Dimensions related to LAN properties:

Dimension
name (portal)
Description Type:
value
column
Direction
KDE name(s)
VLAN ID of receiving/sending VLAN. integer
Native
Src/Dst:
vlan_in,
vlan_out
MAC Address Ethernet (L2) address of source/destination. Usage described in MAC Address Columns. string
Native
Src/Dst:
src_eth_mac,
dst_eth_mac

 

 
 top

IP and BGP Routing

The dimensions in this category are used to filter or group-by on IP addresses (Ipv4 or Ipv6), protocol (e.g. TCP or UDP), TCP flags, and ToS, as well as routing information including source and destination AS, AS path, AS names, community, prefixes, and hops.

 

IP Info Dimensions

Dimensions related to IP properties:

Dimension
name (portal)
Description Type:
value
column
Direction
KDE name(s)
IP/CIDR The source/destination IP address, either IPv4 or IPv6, of the flow. string
Native
Src/Dst:
inet_src_addr
inet_dst_addr
Protocol The number of the protocol. See https://en.wikipedia.org/wiki/List_of_IP_protocol_numbers integer
Native
Non-directional:
protocol
Protocol Name The name of the protocol followed by the corresponding protocol number in parentheses, e.g. TCP (6). In SQL, supports case-insensitive equality and IN matching. string
Virtual
Non-directional:
i_protocol_name
Port Number Layer 4 source/destination port (e.g. 80, 443). integer
Virtual
Src/Dst:
l4_src_port
l4_dst_port
INET Family The address family of the flow, either 4 (IPv4) or 6 (IPv6). integer
Native
Non-directional:
inet_family
DSCP A DSCP (differentiated services code point) value from the DS field in a packet’s IP header, which classifies the packet’s contents to enable differentiated QoS. integer
Native
Non-directional:
dscp
TOS/Diffserv An 8-bit value, typically made up of a six-bit Differentiated Services Code Point (DSCP) field and a two-bit Explicit Congestion Notification (ECN) field. integer
Native
Non-directional:
tos

 

BGP Dimensions

Dimensions related to BGP properties (see About Kentik BGP):

Dimension
name (portal)
Description Type:
value
column
Direction
KDE name(s)
Route Prefix The BGP table prefix, either IPv4 or IPv6, that contains the source/destination IP of the flow. string
Native
Src/Dst:
inet_src_route_prefix
inet_dst_route_prefix
Route LEN The BGP prefix length for the source/destination IP of the flow. integer
Native
Src/Dst:
src_route_length
dst_route_length
AS Number The origin ASN associated with the source/destination IP of the flow. bigint
Native
Src/Dst:
src_as
dst_as
AS Name The name associated with AS Number. string
Virtual
Src/Dst:
i_src_as_name
i_dst_as_name
AS Group A label assigned to a collection of ASes (see About AS Groups). string
Virtual
Src/Dst:
kt_src_as_group
kt_dst_as_group
Next Hop IP/CIDR The BGP next-hop IP address, either IPv4 or IPv6, for the source/destination IP of the flow (see About BGP). string
Native
Src/Dst:
inet_src_next_hop
inet_dst_next_hop
Next Hop AS Number The ASN in the first position of the AS_PATH for the source IP of the flow (see About BGP). integer
Native
Src/Dst:
src_nexthop_as
dst_nexthop_as
Next Hop AS Name Name of Next Hop AS Number string
Virtual
Src/Dst:
i_src_nexthop_as_name
i_dst_nexthop_as_name
2nd Hop AS Number The ASN in the second position of the AS_PATH for the source/destination IP of the flow (see About BGP). integer
Native
Src/Dst:
src_second_asn
dst_second_asn
2nd Hop AS Name Name of 2nd Hop AS Number. string
Virtual
Src/Dst:
i_src_second_asn_name
i_dst_second_asn_name
3rd Hop AS Number The ASN in the third position of the AS_PATH for the source/destination IP of the flow (see About BGP). integer
Native
Src/Dst:
src_third_asn
dst_third_asn
3rd Hop AS Name Name of 3rd Hop AS Number. string
Virtual
Src/Dst:
i_src_third_asn_name
i_dst_third_asn_name
AS Path The BGP ASPATH for the flow’s source/destination IP (see About BGP). string
Native
Src/Dst:
src_bgp_aspath
dst_bgp_aspath
BGP Community The set of BGP communities associated with the flow’s source/destination IP (see About BGP). string
Native
Src/Dst:
src_bgp_community
dst_bgp_community
RPKI Validation Status The RPKI (Resource Public Key Infrastructure; see https://rpki.readthedocs.io/en/latest/) status of a prefix in a BGP-advertised route, which indicates whether the route would be used or dropped if the router were configured to enforce strict route validation. string
Virtual
Dst:
i_dst_rpki_name
RPKI Quick Status Provides a simplified view of RPKI status, enabling easier determination of the action to take on the prefix. string
Virtual
Dst:
i_dst_rpki_min_name

 

VRF Dimensions

Dimensions related to VRF properties:

Dimension
name (portal)
Description Type:
value
column
Direction
KDE name(s)
VRF Name The locally significant name of the VRF via which this flow was routed (input or output).
Note: VRF names may vary in different contexts.
string
Virtual
Src/Dst:
i_input_vrf
i_output_vrf
VRF Route Distinguisher Uniquely identifies the VRF via which this flow was routed (input or output). string
Virtual
Src/Dst:
i_input_vrf_rd
i_output_vrf_rd
VRF Route Target Uniquely identifies a shared route (used by multiple VRFs) via which this flow was routed (input or output). string
Virtual
Src/Dst:
i_input_vrf_rt
i_output_vrf_rt
VRF Extended Route Distinguisher An encoding of the VRF route distinguisher (for Kentik internal use only). integer
Native
Src/Dst:
input_vrf
output_vrf

 

Per-flow Metrics

These metrics are available as dimensions that can be used to filter or group-by based on stats related to the bytes and packets of the flow.

Dimension
name (portal)
Description Type:
value
column
Direction
KDE name(s)
Packet Size Packet size of flow (bytes/packet). integer
Native
Non-directional:
sampledpktsize
Packet Size (nearest 100) Packet size of flow (bytes/packets) rounded down to the nearest multiple of 100. integer
Native
Non-directional:
sampledpktsize_100
Sampling Rate * 100 The rate at which traffic was sampled when flow was collected (see Flow Sampling). integer
Native
Non-directional:
sample_rate

 

 
 top

Cloud Dimensions

The dimensions used to filter or group-by on fields in VPC flow logs from cloud providers are covered in the following topics:

 

 
 top  |  section

General Cloud Dimensions

These dimensions are applicable to all cloud providers.

Dimension
name (portal)
Description Type:
value
column
Direction
KDE name(s)
Cloud Provider The provider of cloud-based VPCs. string
Virtual
Non-directional:
kt_cloud_provider

 

 
 top  |  section

AWS Dimensions

These dimensions represent data in flow logs from resources in Amazon Web Services (see Kentik for AWS).

Dimension
name (portal)
Description Type:
value
column
Direction
KDE name(s)
Account Source/destination AWS account. integer
Virtual
Src/Dst:
kt_aws_src_acc_id,
kt_aws_dst_acc_id
Instance Name Source/destination AWS instance name. string
Virtual
Src/Dst:
kt_aws_src_vm_name,
kt_aws_dst_vm_name
Instance Source/destination AWS instance string
Virtual
Src/Dst:
kt_aws_src_vm_id,
kt_aws_dst_vm_id
Region Source/destination AWS Region. string
Virtual
Src/Dst:
kt_aws_src_region,
kt_aws_dst_region
Zone Source/destination AWS Availability Zone. string
Virtual
Src/Dst:
kt_aws_src_zone,
kt_aws_dst_zone
Instance Type Source/destination AWS Instance Type. string
Virtual
Src/Dst:
kt_aws_src_vm_type,
kt_aws_dst_vm_type
Image ID Source/destination AWS Image ID. string
Virtual
Src/Dst:
kt_aws_src_image_id,
kt_aws_dst_image_id
Security Group Source/destination security group. string
Virtual
Src/Dst:
kt_aws_src_sg,
kt_aws_dst_sg
Auto Scaling Group Source/destination auto scaling group. string
Virtual
Src/Dst:
kt_aws_src_asg,
kt_aws_dst_asg
Public DNS Name Source/destination public DNS name. string
Virtual
Src/Dst:
kt_aws_src_pub_dns,
kt_aws_dst_pub_dns
Private DNS Name Source/destination private DNS name. string
Virtual
Src/Dst:
kt_aws_src_priv_dns,
kt_aws_dst_priv_dns
VPC ID Source/destination VPC ID. string
Virtual
Src/Dst:
kt_aws_src_vpc_id,
kt_aws_dst_vpc_id
Subnet ID Source/destination subnet ID. string
Virtual
Src/Dst:
kt_aws_src_subnet_id,
kt_aws_dst_subnet_id
Instance Tags Tags applied to VMs by users. string
Virtual
Src/Dst:
kt_aws_src_vm_tags,
kt_aws_dst_vm_tags
Interface ID The ID of the network interface for which the traffic is recorded. string
Virtual
Non-directional:
kt_aws_interface_id
Firewall Action The action associated with the traffic:
- ACCEPT: The recorded traffic was permitted by the security groups or network ACLs.
- REJECT: The recorded traffic was not permitted by the security groups or network ACLs.
string
Virtual
Non-directional:
kt_aws_action
Logging Status The logging status of the flow log:
- OK: Data is logging normally to the chosen destinations.
- NODATA: There was no network traffic to or from the network interface during the capture window.
- SKIPDATA: Some flow log records were skipped during the capture window. This may be because of an internal capacity constraint, or an internal error.
string
Virtual
Non-directional:
kt_aws_status

 

 
 top  |  section

GCP Dimensions

These dimensions represent data in flow logs from resources in Google Cloud Platform (see Kentik for GCP).

Dimension
name (portal)
Description Type:
value
column
Direction
KDE name(s)
Project ID Source GCE Project ID. string
Virtual
Src/Dst:
kt_gce_src_proj_id,
kt_gce_dst_proj_id
VM Name Source VM Name. string
Virtual
Src/Dst:
kt_gce_src_vm_name,
kt_gce_dst_vm_name
Region Source VM Name. string
Virtual
Src/Dst:
kt_gce_src_region,
kt_gce_dst_region
Zone Source VM Name. string
Virtual
Src/Dst:
kt_gce_src_zone,
kt_gce_dst_zone
Subnet Name Source GCE Subnet Name. string
Virtual
Src/Dst:
kt_gce_src_vpc_snn,
kt_gce_dst_vpc_snn
VM Type Source VM type. string
Virtual
Src/Dst:
kt_gce_src_vm_type,
kt_gce_dst_vm_type
Image ID Source image ID. string
Virtual
Src/Dst:
kt_gce_src_vm_image,
kt_gce_dst_vm_image
Instance Group ID or Name Src instance group ID or name. string
Virtual
Src/Dst:
kt_gce_src_vm_group,
kt_gce_dst_vm_group
Reporter Indicates where the flow was collected/reported:
- By the source VM/instance if value is SRC;
- By the destination VM/instance if value is DEST.
string
Virtual
Non-directional:
kt_gce_reporter

 

 
 top  |  section

Azure Dimensions

These dimensions represent data in flow logs from resources in Microsoft Azure (see Kentik for Azure).

Dimension
name (portal)
Description Type:
value
column
Direction
KDE name(s)
Instance Name The name of the Azure instance (VM) that generated the flow log. string
Native
Src/Dst:
kt_az_src_inst_name,
kt_az_dst_inst_name
Instance The raw ID of the log-generating instance, which is useful for programmatic management of compute resources. string
Native
Src/Dst:
kt_az_src_inst_id,
kt_az_dst_inst_id
Region The geographical region of the Azure instance, which corresponds to a specific set of Azure data centers in which the instance may run. string
Native
Src/Dst:
kt_az_src_region,
kt_az_dst_region
Zone The High Availability Zone where the instance is currently deployed, which corresponds to a specific data center within a region. integer
Native
Src/Dst:
kt_az_src_zone,
kt_az_dst_zone
Instance Type The kind of instance-generated flow logs, which may be Azure-provided or custom-built. These values do not folllow a standard naming nomenclature. string
Native
Src/Dst:
kt_az_src_inst_type,
kt_az_dst_inst_type
Public DNS Name The publically resolvable DNS name for an instance. string
Native
Src/Dst:
kt_az_src_fqdn,
kt_az_dst_fqdn
VNet ID An identifier for the virtual network object in which an instance resides. A virtual network is a collection of subnets within a given region. string
Native
Src/Dst:
kt_az_src_vnet,
kt_az_dst_vnet
Subnet Name The name of a subnet resource assigned to a virtual network. string
Native
Src/Dst:
kt_az_src_subnet,
kt_az_dst_subnet
Resource Group A set of related technical resources (disk, storage, VMs, APIs, services, etc.) that can be accessed as a group for bulk operations. string
Native
Src/Dst:
kt_az_src_resource_group,
kt_az_dst_resource_group
Public IP Address The public IP address assigned to an Azure instance. Public IP addresses are not assigned by default. string
Native
Src/Dst:
kt_az_src_public_ip,
kt_az_dst_public_ip
Subscription A top-level administrative object representing a set of resources that will be billed together in a monthly cycle. All Azure resources are tied to a subscription, which may contain multiple resource groups. string
Native
Src/Dst:
kt_az_src_sub_id,
kt_az_dst_sub_id
Security Rule The name of the security rule by which this flow was allowed or denied as it passed through a security group (see below) on its way to or from an Azure instance. string
Native
Src/Dst:
ktsubtype__azure_subnet__STR01,
ktsubtype__azure_subnet__STR00
Firewall Action The actions (allow or deny) taken on this flow by the security rules by which it was evaluated on the way to or from an Azure instance. string
Native
Src/Dst:
ktsubtype__azure_subnet__STR03,
ktsubtype__azure_subnet__STR02
Security Group A collection of enforced security policies (each a collection of rules) at the edge of a virtual network and/or applied to a network interface attached to an instance. Traffic to an instance from the internet must pass through at least one security group at the edge of the virtual network and may also pass through an additional security group attached to the interface of an instance. string
Native
Src/Dst:
kt_az_src_nsg_name,
kt_az_dst_nsg_name

 

 
 top

Geolocation Dimensions

These dimensions are used to filter or group-by on flow properties related to physical location.

Dimension
name (portal)
Description Type:
value
column
Direction
KDE name(s)
Custom Geo A collection of countries that have been assigned a common geographical label (see About Custom Geo). string
Native
Src/Dst:
kt_src_market,
kt_dst_market
Country Two-letter country code associated with the source/destination IP of the flow. string
Native
Src/Dst:
src_geo,
dst_geo
Region Full-string English name of the region (state or province, e.g. “California”) associated with the source IP of the flow. string
Native
Src/Dst:
src_geo_region,
dst_geo_region
City Full-string English name of the city (e.g. “San Francisco”) associated with the source IP of the flow. string
Native
Src/Dst:
src_geo_city,
dst_geo_city
Site Country A country in which your organization has sites; enables the grouping, with a single dimension, of traffic from all sites in a given country. string
Virtual
Non-directional:
i_device_site_country
Ultimate Exit Site Country The name of the country containing the site through which flow leaves. string
Virtual
Non-directional:
i_ult_exit_site_country

 

 
 top

Application Context and Security

These dimensions are used to filter or group-by based on various factors related to context — whether a flow originated or terminated with a commercial CDN, for example, or what “service” (port and protocol) it represents — as well as whether the value of certain flow fields match those of known security threats.

Dimension
name (portal)
Description Type:
value
column
Direction
KDE name(s)
CDN Commercial CDN (if any) with which the flow originated/terminated (see CDN Attribution Dimensions).
Note: This dimension is available only for organizations with CDN Attribution enabled.
string
Native
Src/Dst:
src_cdn,
dst_cdn
Service (Port + Proto) The combination of the port and protocol of the source/destination flow.
Note: This dimension is available only for group-by. For filtering, use Port Number and Protocol.
string
Virtual
Src/Dst:
N.A.
Bot Net CC A source/destination IP for the flow that has been identified as a botnet command and control (CC) servers (see Threat Feed Dimensions). string
Native
Src/Dst:
src_threat_bnetcc,
dst_threat_bnetcc
Threat List Host A source/destination IP for the flow that has been identified as a threat (see Threat Feed Dimensions). string
Native
Src/Dst:
src_threat_host,
dst_threat_host
Application An identifying string for the application associated with a flow, which is either derived by evaluating flow data or provided in the flow data itself (see About Applications). string
Native
Non-directional:
application
TCP Flags TCP flags that were set on the flow using a flow mask (TCP Flag Filtering). integer
Native
Non-directional:
tcp_flags
OTT Service An individual OTT content service whose hostname is looked up via DNS. string
Native
Non-directional:
ott_service
OTT Service Type The nature of the content provided by an OTT content service. Values include Adult, Ads, Antivirus, Audio, Cloud, Conferencing, Dating, Developer Tools, Documents, Ecommerce, File Sharing, Gaming, IoT, Mail, Maps, Media, Messaging, Network, Newsgroups, Photo Sharing, Social, Software Download, Software Updates, Storage, Video, VPN, Web. string
Virtual
Non-directional:
N.A.
OTT Service Provider An entity that offers an OTT content service. For example Google is the provider for Google Drive, GMail, Google Maps, etc. string
Virtual
Non-directional:
N.A.

 

 
 top

Application Decodes

Dimensions related to “application decodes” are covered in the following topics:

 

 
 top  |  section

About Application Decodes

Application decodes dimensions are used to filter or group-by based on host-related fields (e.g. HTTP and DNS-related fields) with which Kentik enriches flow records from our software host agent (see About kprobe). Kentik originally allocated this data to a fixed set of KDE columns but later switched to the more efficient approach of storing it in UDR columns (see Universal Data Records). As a result, data from current kprobe versions is queried via dimensions that are categorized as “Application Decodes” in the portal UI while data from kprobe versions older than 1.3.0 is queried via dimensions that are now categorized as “Legacy Application Decodes.”

Note: To determine the version of a given instance of kprobe, use the --version argument described in Print-related Configuration.

 

 
 top  |  section

Application Decodes Dimensions

The dimensions in the table below correspond to application decode fields from kprobe version 1.3.0 and above, which use UDR columns in KDE (see Universal Data Records).

Notes:
- These dimensions are all non-directional.
- For application decodes metrics, see Application Decodes Metrics.
- The dimensions below require Kentik’s kprobe software host agent (see About kprobe).

 

DNS Dimensions

Dimensions related to DNS properties (see Host Traffic Dimensions):

Dimension
name (portal)
Description Type:
value
column
Direction
DNS Query Name Query from a DNS resolver to a DNS name server. string
UDR
Non-directional
DNS Query Type The resource record type requested by the DNS query. bigint
UDR
Non-directional
DNS Reply Code DNS return code (see https://www.iana.org/assignments/dns-parameters/dns-parameters.xhtml#dns-parameters-6). bigint
UDR
Non-directional
DNS Reply Data The response from a DNS server to a DNS query. string
UDR
Non-directional

 

HTTP Dimensions

Dimensions related to HTTP properties (see Host Traffic Dimensions):

Dimension
name (portal)
Description Type:
value
column
Direction
HTTP URL Filename portion of path, with query string (if any). string
UDR
Non-directional
HTTP Host Domain name of the server. string
UDR
Non-directional
HTTP Referrer The address from which a destination webpage is requested. string
UDR
Non-directional
HTTP URL Filename portion of path, with query string (if any). string
UDR
Non-directional
HTTP Host Domain name of the server. string
UDR
Non-directional

 

TLS Dimensions

Dimensions related to Transport Layer Security (see IETF RFC8446):

Dimension
name (portal)
Description Type:
value
column
Direction
TLS Server Name The Server Name Indication (SNI), which is a TLS extension by which a client indicates which hostname it is attempting to connect to at the start of the handshaking process. string
UDR
Non-directional
TLS Server Version The version of the TLS server (as of August 2018 the current version was 1.3). integer
UDR
Non-directional
TLS Cipher Suite A set of cryptographic algorithms used to create keys and encrypt information for TLS. integer
UDR
Non-directional

 

DHCP Dimensions

Dimensions related to Dynamic Host Configuration Protocol (see IETF RFC2131):

Dimension
name (portal)
Description Type:
value
column
Direction
DHCP OP Message op code / message type: 1 = BOOTREQUEST, 2 = BOOTREPLY. integer
UDR
Non-directional
DHCP Message Type The type of the DHCP message, e.g. DHCPDISCOVER, DHCPOFFER, etc. (see DHCP Message Type). integer
UDR
Non-directional
DHCP CI Address A client IP address (ciaddr) that has already been allocated and accepted; only filled in if client is in BOUND, RENEW or REBINDING state and can respond to ARP requests. string
UDR
Non-directional
DHCP YI Address The IP address of the client (yiaddr) as allocated by the server and accepted by the client. string
UDR
Non-directional
DHCP SI Address The IP address of next server to use in bootstrap (siaddr). string
UDR
Non-directional
DHCP Lease In a client request (DHCPDISCOVER or DHCPREQUEST), the requested lease time for the IP address; in a server reply, the lease time offered by the server (see IP Address Lease Time). integer
UDR
Non-directional
DHCP CH Address The client hardware address (chaddr). string
UDR
Non-directional
DHCP Hostname The name of the client (see Host Name Option). string
UDR
Non-directional
DHCP Domain The domain name that client should use when resolving hostnames via the Domain Name System (see Domain Name Option). string
UDR
Non-directional

 

Radius Dimensions

Dimensions related to RADIUS (see FreeRADIUS attributes):

Dimension
name (portal)
Description Type:
value
column
Direction
Radius Code The RADIUS Packet type: Access-Request, Access-Accept, Access-Reject, or Access-Challenge (see IETF RFC2865). integer
UDR
Non-directional
Radius User Name The name of the user to be authenticated. string
UDR
Non-directional
Radius Service Type The type of service the user has requested, or the type of service to be provided. integer
UDR
Non-directional
Radius Framed IP Address The address to be configured for the user. string
UDR
Non-directional
Radius Framed IP Mask The IP netmask to be configured for the user when the user is a router to a network. string
UDR
Non-directional
Radius Framed Protocol The framing to be used for framed access. string
UDR
Non-directional
Radius Accounting Status Indicates whether this Accounting-Request marks the beginning of the user service (Start) or the end (Stop). integer
UDR
Non-directional
Radius Accounting Session ID A unique Accounting ID that enables the matching of start and stop records in a log file. string
UDR
Non-directional

 

 
 top  |  section

Legacy Application Decodes

The dimensions in the table below correspond to application decode fields from kprobe versions earlier than 1.3.0.

Note: The dimensions below require Kentik’s kprobe software host agent (see About kprobe).

 

Legacy DNS Dimensions

Dimensions related to DNS properties (see Host Traffic Dimensions):

Dimension
name (portal)
Description Type:
value
column
Direction
KDE name(s)
DNS Query Query from a DNS resolver to a DNS name server.
Note: Superseded by DNS Query Name.
string
Native
Src/Dst:
kflow_dns_query,
N.A.
DNS Query Type The resource record type requested by the DNS query. bigint
Native
Src/Dst:
kflow_dns_query_type,
N.A.
DNS Return Code DNS return code (see https://www.iana.org/assignments/dns-parameters/dns-parameters.xhtml#dns-parameters-6).
Note: Superseded by DNS Reply Code.
bigint
Native
Src/Dst:
kflow_dns_ret_code,
N.A.
DNS Response The response from a DNS server to a DNS query.
Note: Superseded by DNS Reply Data.
string
Native
Src/Dst:
kflow_dns_response,
N.A.

 

Legacy HTTP Dimensions

Dimensions related to HTTP properties (see Host Traffic Dimensions):

Dimension
name (portal)
Description Type:
value
column
Direction
KDE name(s)
HTTP URL Filename portion of path, with query string (if any). string
Native
Src/Dst:
N.A.,
kflow_http_url
HTTP Host Header Domain name of the server.
Note: Superseded by HTTP Host.
string
Native
Src/Dst:
N.A.,
kflow_http_host
HTTP Return Code HTTP status code.
Note: Superseded by HTTP Status.
bigint
Native
Src/Dst:
N.A.,
kflow_http_status
HTTP Referrer The address from which a destination webpage is requested. string
Native
Src/Dst:
N.A.,
kflow_http_referer
HTTP User Agent User agent information identifying the client that submitted a request. string
Native
Src/Dst:
N.A.,
kflow_http_ua

 

 
 top

Container Networking Dimensions

Kentik currently supports Kubernetes for container networking. Support for other forms of container networking is planned.

 

 
 top  |  section

Kubernetes Dimensions

These dimensions represent information, gathered by Kentik at ingest, about the setup of a Kubernetes-managed container (see What is Kubernetes). These fields are stored in the KDE flow records of traffic from the container.

Dimension
name (portal)
Description Type:
value
column
Direction
Pod Name The name of a pod, which represents a set of running containers on your cluster. string Src/Dst
Pod Namespace The scope within which the pod name is valid and unique. string Src/Dst
Workload Name The name of a workload, which is a system of services or applications that can run to fulfill a task or carry out a business process. string Src/Dst
Workload Namespace The scope within which the workload name is valid and unique. string Src/Dst
Container Name The name of an executable image that contains software and all of its dependencies. string Dst only

 

 
 top

Device Metrics Dimensions

Device metrics dimensions, which enable you to do filtering or top-X evaluations based on metrics from devices, are covered in the following topics:

 

 
 top  |  section

Synthetic Dimensions

Note: Queries using Synthetic dimensions are subject to the following restrictions:
- Synthetic dimensions cannot be mixed with dimensions from any other category.
- Results will return only if the query’s metrics are from the Synthetic category in the Metrics Dialog.

When kproxy is used for synthetic measurement (see kproxy Synthetic Measurement) it generates both dimensions and metrics, which are stored in or derived from UDR columns (see Universal Data Records) rather than standard KDE columns. The following table shows the dimensions from synthetic measurement that may be used for filtering or group-by in queries:

Dimension
name (portal)
Description Type:
value
column
Direction
Connection Name Destination identifier string
UDR
Non-directional
Connection Type One of the following integers, which each represent a type of connection:
1: Traffic from client to server;
2: Traffic from server to client;
3: Traceroute traffic.
int
UDR
Non-directional
ICMP Hop Name Fully qualified domain name of the hop (or IP address if lookup isn’t possible). string
UDR
Non-directional
ICMP This Hop A number referring to an individual hop. int
UDR
Non-directional
ICMP This Try The number of the try for this hop. Each hop is tried 3 times. int
UDR
Non-directional
ICMP Total Hops In a given ICMP Try, the number of hops it took to get to the destination. int
UDR
Non-directional

Note: For metrics related to synthetic measurement, see Synthetic Metrics.

 

 
 top  |  section

SNMP Dimensions

Note: Queries using SNMP dimensions are subject to the following restrictions:
- SNMP dimensions cannot be mixed with dimensions from any other category.
- Results will return only if the query’s metrics are from the SNMP category in the Metrics Dialog.

If SNMP polling is enabled on a router (see SNMP OID Polling) then Kentik is able to enrich the KDE with the SNMP-derived dimensions listed below. These dimensions are stored in Kentik Detect using Universal Data Records (UDR), allowing flexible allocation of data to the columns of the Kentik Data Engine. See also Information SNMP OIDs.

Dimension
name (portal)
Description Type:
value
column
Direction
Interface The Name and Description of the interface (see Interface Field Definitions) stated in the form of “name: description”. string
UDR
Non-directional
Device The Kentik-registered name for the device (see Device General Settings). int
UDR
Non-directional
Site Name of the site to which the device has been assigned (see About Sites). If the device hasn’t been assigned to a site, returns an empty string.
Notes:
- Supported operators for WHERE clause: case-insensitive equality, LIKE, IN, and regex matching.
- Site assignments in the table may lag Admin settings by up to 10 minutes.
string
UDR
Non-directional
Provider A string representing the provider via which source/destination traffic over a given interface reaches the Internet (see About Provider Classification). string
UDR
Non-directional
Connectivity Type The connectivity type, such as transit, IX peering, etc., of the source/destination interface of this flow (see Connectivity Type Attribute). string
UDR
Non-directional
Network Boundary The network boundary value (internal or external) of the source/destination interface of this flow (see Network Boundary Attribute). string
UDR
Non-directional
Interface Capacity The speed of the device interface through which flow ingressed/egressed (see Interface Field Definitions). integer
UDR
 

 

 
 top  |  section

Streaming Telemetry Dimensions

Note: Queries using Streaming Telemetry dimensions are subject to the following restrictions:
- Streaming Telemetry dimensions cannot be mixed with dimensions from any other category.
- Results will return only if the query’s metrics are from the Streaming Telemetry category in the Metrics Dialog.

If streaming telemetry publishing is enabled on a router (see Streaming Telemetry Device Support) then you can run queries in the portal that return the values of the ST metrics listed in Streaming Telemetry Metrics. The dimensions that are available for these ST queries have the same names as the dimensions listed in the SNMP Dimensions table above, but they appear in the Streaming Telemetry section of the list in the portal’s Group By Dimensions dialog (e.g. in Data Explorer).

 

 
 top

MPLS Dimensions

Multiprotocol Label Switching (MPLS) is a routing scheme for network data that enables network operators to define label-switched paths that let routers move packets within the network without consulting a routing table at each hop (see Using MPLS). The following table shows the MPLS-related dimensions that may be used for filtering or group-by in queries:

Dimension
name (portal)
Description Type:
value
column
Direction
MPLS Forwarding Type This field denotes the label distribution scheme used by the router to forward the MPLS traffic. Currently only Cisco ASR devices export this field. integer
UDR
Non-directional
MPLS Forwarding Address The IP address of the destination PE (provider edge) router where the flow will exit the MPLS domain before re-entering standard IP forwarding domains. integer
UDR
Non-directional
MPLS Forwarding Address Prefix Length The prefix length for the destination Forwarding Address of the flow. integer
UDR
Non-directional
MPLS Label 1 The value of the top label assigned to the flow. integer
UDR
Non-directional
MPLS Label 1 EXP The value of the experimental bits assigned to the flow. Typically this is used to map IP-based Quality of Service (QoS) markings into MPLS domains so that routers can apply appropriate forwarding policies to MPLS flows. integer
UDR
Non-directional
MPLS Label 2 The value of the second label assigned to the flow. integer
UDR
Non-directional
MPLS Label 2 EXP The value of the experimental bits assigned to the flow. Typically this is used to map IP-based Quality of Service (QoS) markings into MPLS domains so that routers can apply appropriate forwarding policies to MPLS flows. integer
UDR
Non-directional
Forwarding Status The two-bit forwarding status of the flow and associated six-bit reason code or flag. This dimension represents IPFIX entity 89 (IANA). integer
Native
Non-directional

 

 
 top

Device-specific Dimensions

Device-specific dimensions are covered in the following topics:

 

 
 top  |  section

About Device-specific Dimensions

Device-specific dimensions originate as flow records that are specific to given types of devices, whether physical or virtual, such as Kubernetes containers, Istio mesh, Palo Alto Networks firewalls, or Cisco ASA appliances. These records are ingested into Kentik Detect as Universal Data Records (UDR), allowing flexible allocation of flow fields to the columns of the Kentik Data Engine. The resulting dimensions are used for filter or group-by like any other fields in Kentik-ingested flow records.

Notes:
- Kentik Detect also stores and uses certain Device-specific Metrics.
- UDR dimensions have no persistent KDE columns.

 

 
 top  |  section

Cisco ASA Dimensions

These dimensions are used to filter or group-by on fields in flow records from Cisco Adaptive Security Appliances (ASA), which run Cisco ASA software to deliver enterprise-class firewall capabilities in a variety of form factors including standalone appliances, blades, and virtual appliances. For more context on these dimensions, see the Cisco document ASA NetFlow Implementation Guide.

Note: Syslog from Cisco ASA is ingested into KDE via Kentik’s NetFlow Proxy Agent. For further information please contact Customer Support.

Dimension
name (portal)
Description Type:
value
column
Direction
Post-NAT Transport Port The source/destination port identifier in the transport header, as modified by the firewall during network address port translation after the packet traversed the interface. integer
Virtual
Src/Dst
Post-NAT Address The IPv4 source/destination address in the IP packet header, as modified by the firewall during network address translation after the packet traversed the interface. string
Virtual
Src/Dst
Flow ID An identifier of a flow that is unique within an observation domain. You can use this information element to distinguish between different flows if flow keys such as IP addresses and port numbers are not reported or are reported in separate records. The flowID corresponds to the session ID field in Traffic and Threat logs. integer
Virtual
Non-directional
Firewall Event Indicates a firewall event:
- 0 = Ignore (invalid)—Not used.
- 1 = Flow created—The NetFlow data record is for a new flow.
- 2 = Flow deleted—The NetFlow data record is for the end of a flow.
- 3 = Flow denied—The NetFlow data record indicates a flow that firewall policy denied.
- 4 = Flow alert—Not used.
- 5 = Flow update—The NetFlow data record is sent for a long-lasting flow, which is a flow that lasts longer than the Active Timeout period configured in the NetFlow server profile.
integer
Virtual
Non-directional
Extended Event Code Provides additional information about an event:
1001 = the flow was denied by an ingress ACL.
1002 = the flow was denied by an egress ACL.
1003 = the flow was denied because connection to ASA interface was denied, an ICMP packet (v4 or v6) was denied, or for an unspecified reason.
1004 = the flow denied because the first packet on the TCP was not a TCP SYN packet.
2001 or greater = the flow was terminated.
integer
Virtual
Non-directional
AAA Username The username associated with the ASA instance that generated the flow. string
Virtual
Non-directional
Ingress ACL The ID of the ACL that was applied on the input interface and either permitted or denied the flow. string
Virtual
Non-directional
Egress ACL The ID of the ACL that was applied on the output interface and either permitted or denied the flow. string
Virtual
Non-directional

Note: See also Cisco ASA Metrics.

 

 
 top  |  section

Cisco ASA Syslog Dimensions

These dimensions are used to filter or group-by on KDE fields whose values are extracted at ingest from syslog messages generated by Cisco Adaptive Security Appliances (ASA); see About ASA Syslog Messages. Syslog data may provide additional details that supplement the data available in Cisco ASA NetFlow (see Cisco ASA Dimensions).

Note: Syslog from Cisco ASA is ingested into KDE via Kentik’s NetFlow Proxy Agent. For further information please contact Customer Support.

Dimension
name (portal)
Description Type:
value
column
Direction
Flow ID An identifier of a flow that is unique within an observation domain. You can use this information element to distinguish between different flows if flow keys such as IP addresses and port numbers are not reported or are reported in separate records. Flow ID corresponds to the session ID field in Traffic and Threat logs. integer
Native
Non-directional
Message A Cisco ASA Series syslog message. Messages are listed by message ID in Cisco ASA Series Syslog Messages. string
Native
Non-directional
Severity The severity level of the message, which varies depending on the cause (see Messages Listed by Severity Level). integer
Native
Non-directional
Message ID The Cisco-assigned ID for the message. integer
Native
Non-directional

 

 
 top  |  section

IOS XR Dimensions

These dimensions are used to filter or group-by on fields in flow records from Cisco products running the IOS XR operating system. These fields contain IPFIX “entity” values as described in IPFIX Information Elements. For additional information, see the Cisco document Configure NetFlow on IOS XR.

Dimension
name (portal)
Description Type:
value
column
Direction
Dest ToS Entity 55: The IPFIX postIpClassOfService value, which is the post-observation value of ToS (Type of Service) field (IPv4) or Traffic Class field (IPv6) in the packet header. integer
Native
Dst only
Minimum TTL Entity 52: The minimum value observed for the TTL (time to live) field in the IP header of any packet in this flow. integer
Native
Non-directional
Maximum TTL Entity 55: The maximum value observed for the TTL (time to live) field in the IP header of any packet in this flow. integer
Native
Non-directional
Forwarding Status Entity 89: The two-bit forwarding status of the flow and associated six-bit reason code or flag. integer
Native
Non-directional

 

 
 top  |  section

Istio Dimensions

These dimensions are used to filter or group-by on KDE fields related to telemetry metrics from Istio, which is an open source insight and control layer that enables you to secure, connect, and monitor the applications that make up a distributed microservices architecture for hybrid and multi-cloud deployments. For an overview of Istio telemetry, see the Istio document Policies and Telemetry.

Dimension
name (portal)
Description Type:
value
column
Direction
Name Workload instance name. string
Virtual
Src/Dst
Namespace Workload instance namespace. string
Virtual
Src/Dst
Workload Name Workload name. string
Virtual
Src/Dst
Workload Namespace Workload namespace. string
Virtual
Src/Dst
Container Name Name of the destination workload instance’s container. string
Virtual
Dst only
Service Host Destination host address. string
Virtual
Dst only
Service Name Destination service name. string
Virtual
Dst only
Service Namespace Destination service namespace. string
Virtual
Dst only
Request Path The HTTP URL path including query string. string
Virtual
Non-directional
Request Method The HTTP method. string
Virtual
Non-directional
Request User Agent The HTTP User-Agent header. string
Virtual
Non-directional
Response Code The HTTP status code in the response. integer
Virtual
Non-directional

Note: See also Istio Metrics.

 

 
 top  |  section

Juniper PFE Syslog Dimensions

These dimensions represent event-triggered syslog messages from a Juniper switch equipped with a Packet Forwarding Engine (see the Juniper article Informal Guide to Packet Forwarding). If a given switch has multiple PFEs their messages are grouped as if they were from a single PFE. In addition to the dimensions below, the remaining portion of the syslog message may contain information (e.g. MAC address, protocol, IP addresses, and bytes) that is accessible via KDE dimensions that aren’t device-specific.

Note: Syslog from Juniper PFE is ingested into KDE via Kentik’s NetFlow Proxy Agent. For further information please contact Customer Support.

Dimension
name (portal)
Description Type:
value
column
Direction
Message The first 64 chars of the PFE syslog message. string
Native
Non-directional
Subtype The subtype of the message, e.g. “FW” for firewall. string
Native
Non-directional
Interface The device interface on which the event occurred. string
Native
Non-directional
Event The nature of the event, e.g. “D” for dropped packets. string
Native
Non-directional

 

 
 top  |  section

Palo Alto Networks Firewall

These dimensions are used to filter or group-by on fields in flow records from Palo Alto Networks firewalls. In addition to the port, IP address, and type of packets, the data identifies the application and includes firewall event information. For more context on these dimensions, see the Palo Alto Networks document NetFlow Templates.

Dimension
name (portal)
Description Type:
value
column
Direction
Post-NAT Transport Port The source/destination port identifier in the transport header, as modified by the firewall during network address port translation after the packet traversed the interface. integer
Virtual
Src/Dst
Post-NAT Address The IPv4 source/destination address in the IP packet header, as modified by the firewall during network address translation after the packet traversed the interface. string
Virtual
Src/Dst
ICMP Type Internet Control Message Protocol (ICMP) packet type. This is reported as: ICMP Type * 256 + ICMP code integer
Virtual
Non-directional
Flow ID An identifier of a flow that is unique within an observation domain. You can use this information element to distinguish between different flows if flow keys such as IP addresses and port numbers are not reported or are reported in separate records. The flowID corresponds to the session ID field in Traffic and Threat logs. integer
Virtual
Non-directional
Application ID The name of an application (up to 32 bytes). string
Virtual
Non-directional
User ID A username that User-ID identified. The name can be up to 64 bytes. string
Virtual
Non-directional
Firewall Event Indicates a firewall event:
- 0 = Ignore (invalid)—Not used.
- 1 = Flow created—The NetFlow data record is for a new flow.
- 2 = Flow deleted—The NetFlow data record is for the end of a flow.
- 3 = Flow denied—The NetFlow data record indicates a flow that firewall policy denied.
- 4 = Flow alert—Not used.
- 5 = Flow update—The NetFlow data record is sent for a long-lasting flow, which is a flow that lasts longer than the Active Timeout period configured in the NetFlow server profile.
integer
Virtual
Non-directional
Direction The direction of the flow:
- 0 = ingress
- 1 = egress
integer
Virtual
Non-directional

 

 
 top  |  section

Silver Peak Dimensions

This dimension is used to filter or group-by on flow records from Silver Peak appliances running VXOA software (version 8.1.8 or higher), which is described in this Silver Peak white paper. Silver Peak analyzes the actual packets as traffic flows through their appliances, identifies the applications (e.g. SaaS service) with which each packet is associated, and prioritizes routing by applying application-specific rules.

Dimension
name (portal)
Description Type:
value
column
Direction
Application name The name of an application as identified by a Silver Peak VXOA appliance. string
Virtual
Non-directional

 

 
 top  |  section

Cisco vEdge Dimensions

These dimensions are used to filter or group-by on IPFIX fields (see IPFIX Information Elements Exported to the Collector) in cflowd records from Cisco vEdge SD-WAN routers. For more information about these devices, refer to the Cisco document Cisco SD-WAN vEdge Routers Data Sheet.

Dimension
name (portal)
Description Type:
value
column
Direction
Maximum packet length Length of the largest packet observed for this flow. integer
Native
Non-directional
Minimum packet length Length of the smallest packet observed for this flow. integer
Native
Non-directional
VPN identifier VEdge VPN identifier. integer
Native
Non-directional
Field 4322 Reserved for internal use. integer
Native
Non-directional
Flow end reason Reason for the flow termination (see IANA IPFIX Entities). integer
Native
Non-directional

In this article: