communityId() Query Function

New in version 1.33.

Computes the Community ID, a standard for hashing network flows. This can be used to easily correlate and join network flows across systems.

This implements the community_id_v1 functions as described in the Community ID Spec. If the protocol is found to be ICMP, then icmptype and icmpcode will be mapped to port equivalents as described by the community_id_icmp function in the specification.

If this function receives invalid inputs (for example an invalid IP or a port out of range), it will assign the empty string to the output field (as).

Parameters

Name

Type

Required

Default

Description

as

string

No

_community_id

Name of the output field

proto

string

Yes

Name of protocol field. This field will be read directly and either interpreted directly as a IANA protocol number, or as the keyword of a protocol number from the Protocol Numbers list. The value in the field must be either a protocol keyword or a number in the range 0 to 255.

sourceip

string

Yes

Name of source IP address field. The value must be an IPv4 or IPv6 address

destinationip

string

Yes

Name of destination IP address field. The value must be an IPv4 or IPv6 address

sourceport

string

No

Name of the source port field. The value found in this field must be a numerical value in the range 0 to 65535. If set, the destinationip parameter must also be set.

destinationport

string

No

Name of the destination port field. The value found in this field must be a numerical value in the range 0 to 65535. If set, the destinationip parameter must also be set.

icmptype

string

No

Name of the ICMP type field. The value in this field must be a numerical value in the range 0 to 65535. If this parameter is set, then the icmpcode field must also be set.

icmpcode

string

No

Name of the ICMP code field. The value in this field must be a numerical value in the range 0 to 65535. If this parameter is set, then the icmptype field must also be set.

seed

number

No

The seed value used when computing the Community ID. This must be a number in the range 0 to 65535.

Examples

Calculates the Community ID for Netflow logs.

humio
communityId(proto=flow.protocolIdentifier,
             sourceip=flow.sourceIPv4Address,
             sourceport=flow.sourceTransportPort,
             destinationip=flow.destinationIPv4Address,
             destinationport=flow.destinationTransportPort)