I'm interested in creating a threshold alert for bits/s or packets/s of my data. This is leading me down a rabbit hole, and it seems like doing any analysis (sorting/aggregation) on this kind of per second data is quite difficult; the only option seems to be to use the TSVB and create a visual with that.
I considered using data transforms to try and do things by "entity" but I can't figure out how to exactly do that given that I need the per second rates for a given source.ip. I'm using data in the ECS format so I have fields like network.bytes or network.packets.
Any suggestions on being able to do more interesting manipulations of data that is per second?
Summing up the network.bytes or network.packets over time (using a date_histogram aggregation), gives you an effective rate, because you have a number of bytes per unit time. No need to calculate a derivative, unless you're interested in the rate of change (i.e. bits/sec/sec).
What are you going to set your threshold at? Why not consider using ML to dynamically find anomalies in your network data?
Wouldn't the date histogram give me the rate depending on the bucket? So if I'm looking at a month, and the buckets are every 24 hours , then I'm looking at packets/24 hours? I want to look at packets/s no matter the bucket size.
I'm looking at creating a watcher that will tell me when the packets/s passes a threshold. I would be interested to use ml as well, but I'd like to track the per second rate. Does that make sense?
At least in the current version of Kibana, there's no fixed-interval but rather a minimum interval... but with minimum, it doesn't force the value I put in. (e.g. if I put second as the minimum it doesn't show second buckets, but whatever it thinks makes most sense).
My data is log data that's coming in on a ms scale.
Sorry, what I meant when I asked about the granularity of the data is what is the sampling interval of the data? In other words, if you have a network.bytes value for a specific source.ip, what is the typical time in between adjacent samples?
Hmm it's hard to say, most of the time there are at least 2, sometimes up to 10 per second. However sometimes there is 1 event for a source ip or none in a given second.
Ok, great - that helps me understand the approximate velocity of the data you're dealing with.
So, my next question is:
Do you really want/need an alert for a 1 second window of time on this data? In other words, if there's a spike of network traffic above your threshold at 12:38:06, but is back in range at 12:38:07, but spikes again at 12:38:08 you really want two alerts? And, you want to do this for every source.ip in your data?
So that's a decent question; I feel like people want to know their mbps speed to understand bandwidth usage. If I can do 100mbps for my network, understanding the data usage as a percent of that is important no? Or is this best dealt with one of the beats that have this as an explicit value rather than the logs that mention packets or bits transferred?
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.