Bandwidth accounting in Kibana

yeci · May 9, 2017, 12:40pm

We're trying to get a bandwidth accounting solution running where we want to get graphs on how much bandwidth every individual IP address uses. To do this we are using a tool called pmacct-to-elasticsearch that takes the output from pmacct (uses libpcap to capture traffic on a SPAN port) and sends this to elasticsearch. We then have Kibana to draw graphs based on this data.

The solution aggregates the source IP addresses and sets these together with bytes, packets etc. in separate fields every minute (so a field for IP, a field for bytes etc.). We've gotten as far as to being able to graph the bandwidth used by a IP address over time by searching for "src_ip: xxx.xxx.xxx.xxx" manually. What we would like to do now, if possible, is have all IP addresses in a list or drop down menu where you can simply select one of them and get the graph for the bandwidth usage. Additionally we would like to not have to set each graph manually, as we'll be dealing with a large number of addresses (500-ish), so if we could get Kibana to automatically list all unique addresses in the field that'd be preferred.

Is this at all possible or are we chasing a unicorn?
Thanks in advance.

weltenwort · May 9, 2017, 6:10pm

Hey @yeci,

that sounds absolutely possible with just a single visualization. You can set it up similar to the following example, just with the src_ip field instead of the extension.raw:

That would list all the ip addresses in the legend to the right, where you can click on its icon to add a filter for that specific address:

yeci · May 15, 2017, 1:39pm

Thank you Weltenwort.

We have tried this on a test-environment and it works as you suggested it would. However when it graphs all traffic it gets really laggy. Is there no way to get a list of all the IP address before it graphs everything up, so you can just select an IP address from the list and be taken to the graph from there?

Thanks in advance!

weltenwort · May 15, 2017, 8:55pm

You might be able to achieve a better performance using this setup (again, substitute your own field names for bytes and extension.raw):

create a line chart:

image.png1641×894 125 KB
create a data table visualization:

image.png1640×895 56.5 KB
create a dashboard containing the two visualizations, e.g.:

image.png1641×896 121 KB
then you can quickly filter for a specific term by clicking on the filter icons in the table:

Topic		Replies	Views
ELK Newb - Packetbeat Visualizations Beats packetbeat	3	648	September 21, 2018
Can kibana create charts similar to afterglow Kibana	5	3127	July 6, 2017
Vizualize Netflow data in Kibana (used network trafic) Kibana	4	2585	December 3, 2021
Most visited domains (IPs) Logstash	2	237	July 21, 2021
Newbie playing with netflow (with nProbe) + ELK. Everything running and now what Kibana	2	930	July 6, 2017

Bandwidth accounting in Kibana

Related topics