Network flows format reference

The document is organized in two main categories: Labels and regular Fields. This distinction only matters when querying Loki. This is because Labels, unlike Fields, must be used in .

If you are reading this specification as a reference for the Kafka export feature, you must treat all Labels and Fields as regualr fields and ignore any distinctions between them that are specific to Loki.

SrcK8S_Namespace

• SrcK8S_Namespace: string

Source namespace

DstK8S_Namespace

• Optional DstK8S_Namespace: string

Destination namespace

SrcK8S_OwnerName

• Optional SrcK8S_OwnerName: string

Source owner, such as Deployment, StatefulSet, etc.

DstK8S_OwnerName

• Optional DstK8S_OwnerName: string

Destination owner, such as Deployment, StatefulSet, etc.

FlowDirection

• FlowDirection: see the following section, Enumeration: FlowDirection for more details.

Flow direction from the node observation point

_RecordType

• Optional _RecordType: RecordType

Type of record: ‘flowLog’ for regular flow logs, or ‘allConnections’, ‘newConnection’, ‘heartbeat’, ‘endConnection’ for conversation tracking

SrcAddr

• SrcAddr: string

Source IP address (ipv4 or ipv6)

DstAddr

• DstAddr: string

Destination IP address (ipv4 or ipv6)

SrcMac

• SrcMac: string

Source MAC address

DstMac

Destination MAC address

SrcK8S_Name

• Optional SrcK8S_Name: string

Name of the source matched Kubernetes object, such as Pod name, Service name, etc.

DstK8S_Name

• Optional DstK8S_Name: string

SrcK8S_Type

• Optional SrcK8S_Type: string

Kind of the source matched Kubernetes object, such as Pod, Service, etc.

DstK8S_Type

• DstK8S_Type: string

Kind of the destination matched Kubernetes object, such as Pod name, Service name, etc.

SrcPort

• SrcPort: number

Source port

DstPort

• DstPort: number

Destination port

SrcK8S_OwnerType

• Optional SrcK8S_OwnerType: string

Kind of the source Kubernetes owner, such as Deployment, StatefulSet, etc.

DstK8S_OwnerType

• Optional DstK8S_OwnerType: string

Kind of the destination Kubernetes owner, such as Deployment, StatefulSet, etc.

SrcK8S_HostIP

• Optional SrcK8S_HostIP: string

Source node IP

DstK8S_HostIP

• Optional DstK8S_HostIP: string

Destination node IP

SrcK8S_HostName

• Optional SrcK8S_HostName: string

Source node name

DstK8S_HostName

• Optional DstK8S_HostName: string

Destination node name

Proto

• Proto: number

L4 protocol

Interface

Network interface

Packets

• Packets: number

Packets_AB

• Packets_AB: number

In conversation tracking, A to B packets counter per conversation

Packets_BA

• Optional Packets_BA: number

In conversation tracking, B to A packets counter per conversation

Bytes

• Bytes: number

Number of bytes in this flow

Bytes_AB

• Optional Bytes_AB: number

In conversation tracking, A to B bytes counter per conversation

Bytes_BA

• Optional Bytes_BA: number

In conversation tracking, B to A bytes counter per conversation

TimeFlowStartMs

• TimeFlowStartMs: number

Start timestamp of this flow, in milliseconds

TimeFlowEndMs

• TimeFlowEndMs: number

End timestamp of this flow, in milliseconds

TimeReceived

• TimeReceived: number

Timestamp when this flow was received and processed by the flow collector, in seconds

_HashId

• Optional _HashId: string

In conversation tracking, the conversation identifier

_IsFirst

• Optional _IsFirst: string

In conversation tracking, a flag identifying the first flow

numFlowLogs

• Optional numFlowLogs: number

In conversation tracking, a counter of flow logs per conversation

Ingress

• Ingress = "0"

Incoming traffic, from node observation point

Egress