Aggregate records netflow

eddie4 · July 10, 2018, 8:23am

The problem:
We operate a elastic search cluster for storing netflow data. One of our clients operates a UDP service that is queried an insane amount by different IP's. This one client is responsible for 2/3 of the flows in elastic search. Adding about 3000 flows every second of every day.

The question
Is there a way to aggregate all these records drop the source and destination IP and only calculate the amount of traffic used over the last 5secs? While deleting or better never storing the original records. There by reducing storage and processing time.

rcowart · July 12, 2018, 9:29am

I haven't finished evaluation of it yet, but I am hopeful that the rollup API, introduced in 6.3, will facilitate this. If it works out I will be rolling the necessary setup into ElastiFlow.

eddie4 · July 14, 2018, 3:49pm

hmmm interesting we have completely custom built our platform. But I will look into ElastiFlow especially this feature.

system · August 11, 2018, 3:49pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Looking for advice on a use case for NetFlow Elastic Agent	4	243	February 23, 2024
Perform aggregation on already aggregated result Elasticsearch	1	377	February 27, 2018
Collection and storage of information from netflow sources Elasticsearch	13	1316	August 13, 2023
Use case Elasticsearch	8	301	July 6, 2017
Aggregating Source IP and Destination IP pairs on Firewall logs Elasticsearch	2	2184	July 19, 2019

Aggregate records netflow

Related topics