Bandwidth accounting in Kibana

We're trying to get a bandwidth accounting solution running where we want to get graphs on how much bandwidth every individual IP address uses. To do this we are using a tool called pmacct-to-elasticsearch that takes the output from pmacct (uses libpcap to capture traffic on a SPAN port) and sends this to elasticsearch. We then have Kibana to draw graphs based on this data.

The solution aggregates the source IP addresses and sets these together with bytes, packets etc. in separate fields every minute (so a field for IP, a field for bytes etc.). We've gotten as far as to being able to graph the bandwidth used by a IP address over time by searching for "src_ip: xxx.xxx.xxx.xxx" manually. What we would like to do now, if possible, is have all IP addresses in a list or drop down menu where you can simply select one of them and get the graph for the bandwidth usage. Additionally we would like to not have to set each graph manually, as we'll be dealing with a large number of addresses (500-ish), so if we could get Kibana to automatically list all unique addresses in the field that'd be preferred.

Is this at all possible or are we chasing a unicorn?
Thanks in advance.

Hey @yeci,

that sounds absolutely possible with just a single visualization. You can set it up similar to the following example, just with the src_ip field instead of the extension.raw:

image.png1914×894 150 KB

That would list all the ip addresses in the legend to the right, where you can click on its icon to add a filter for that specific address:

Thank you Weltenwort.

We have tried this on a test-environment and it works as you suggested it would. However when it graphs all traffic it gets really laggy. Is there no way to get a list of all the IP address before it graphs everything up, so you can just select an IP address from the list and be taken to the graph from there?

Thanks in advance!

You might be able to achieve a better performance using this setup (again, substitute your own field names for bytes and extension.raw):

• create a line chart:
  
  

  image.png1641×894 125 KB
• create a data table visualization:
  
  

  image.png1640×895 56.5 KB
• create a dashboard containing the two visualizations, e.g.:
  
  

  image.png1641×896 121 KB
• then you can quickly filter for a specific term by clicking on the filter icons in the table:
  

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.