Aggregate records netflow

eddie4 · July 10, 2018, 8:23am

The problem:
We operate a elastic search cluster for storing netflow data. One of our clients operates a UDP service that is queried an insane amount by different IP's. This one client is responsible for 2/3 of the flows in elastic search. Adding about 3000 flows every second of every day.

The question
Is there a way to aggregate all these records drop the source and destination IP and only calculate the amount of traffic used over the last 5secs? While deleting or better never storing the original records. There by reducing storage and processing time.

rcowart · July 12, 2018, 9:29am

I haven't finished evaluation of it yet, but I am hopeful that the rollup API, introduced in 6.3, will facilitate this. If it works out I will be rolling the necessary setup into ElastiFlow.

eddie4 · July 14, 2018, 3:49pm

hmmm interesting we have completely custom built our platform. But I will look into ElastiFlow especially this feature.

system · August 11, 2018, 3:49pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Looking for advice on a use case for NetFlow Elastic Agent	4	241	February 23, 2024
Collection and storage of information from netflow sources Elasticsearch	13	1278	August 13, 2023
New to Elastic - Netflow Data Analysis Elastic Observability	2	438	November 7, 2022
ES query slows down in high concurrency Elasticsearch elastic-stack-monitoring	1	33	August 13, 2024
PacketBeat timestamp Beats packetbeat	8	1670	June 6, 2017

Aggregate records netflow

Related Topics