The community_id processor computes a network flow hash according to the
Community ID Flow Hash
specification.
The flow hash is useful for correlating all network events related to a single flow. For example, you can filter on a community ID value and you might get back the Netflow records from multiple collectors and layer 7 protocol records from the Network Packet Capture integration.
By default the processor is configured to read the flow parameters from the appropriate Elastic Common Schema (ECS) fields. If you are processing ECS data, no parameters are required.
- community_id:If the data does not conform to ECS, you can customize the field names that the processor reads from. You can also change the target field that the computed hash is written to. For example:
- community_id:
fields:
source_ip: my_source_ip
source_port: my_source_port
destination_ip: my_dest_ip
destination_port: my_dest_port
iana_number: my_iana_number
transport: my_transport
icmp_type: my_icmp_type
icmp_code: my_icmp_code
target: network.community_idIf the necessary fields are not present in the event, the processor silently continues without adding the target field.
| Name | Required | Default | Description |
|---|---|---|---|
|
No |
Field names that the processor reads from:
|
|
|
No |
Field that the computed hash is written to. |
|
|
No |
Seed for the community ID hash. Must be between 0 and 65535 (inclusive). The seed can prevent hash collisions between network domains, such as a staging and production network that use the same addressing scheme. This setting results in a 16-bit unsigned integer that gets incorporated into all generated hashes. |