Data for rtflow bytes from server not showing


Hello I am new to this Forum and to Kibana.

I have got the following problem:
I am collecting the Logs of the firewalls and I want to create a Graph that sums up
the top 5 source addresses that are creating the most traffic in our network.
The settings are following:
X-Axis ValuesY-Axis Values

The Graph I get looks like this:

I even checked the settings for the index pattern:

Do you have any idea what the Problem could be?

(Joe Fleming) #2

I believe the problem is that you're using the "analyzed" value, and not the raw value, for the source-address. When search on keywords, Elasticsearch doesn't use the actual value, instead of parses the value into a collection of fragments which is uses for searching. Aggregating on that data is usually not very helpful, and isn't what you want in this case.

Instead, you want to aggregate on the raw, not_analyzed value, which you may need to add to your index. You can index both values at the same time, using multi-fields. You'll need to either re-ingest or reindex your data with the updated mapping.


First of all thank you for replying so fast.
I tried your suggestion and got following result:

The settings I used for the index were these:

curl -XPUT localhost:9200/_template/junos -d '{
"template" : "junos-*",
"settings": {
"index.refresh_interval": "5s"
"mappings" : {
"default" : {
"_all" : {"enabled" : false},
"properties" : {
"@version": { "index": "analyzed", "type": "integer" },
"@timestamp": { "index": "analyzed", "type": "date" },
"rtflow": {
"dynamic": true,
"type": "object",
"properties": {
"version": { "index": "analyzed", "type": "integer" },
"application": { "index": "not_analyzed", "type": "string" },
"bytes-from-client.keyword": { "index": "not_analyzed", "type": "integer"},
"bytes-from-server.keyword": { "index": "not_analyzed", "type": "integer"},
"destination-address.keyword": { "index": "analyzed", "type": "ip" },
"source-address.keyword": { "index": "analyzed", "type": "ip" },
"destination-port.keyword": { "index": "analyzed", "type": "integer" },
"nat-destination-address.keyword": { "index": "analyzed", "type": "ip" },
"nat-source-address.keyword": { "index": "analyzed", "type": "ip" }



Did I do something wrong or is there any other solution?

(system) #4

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.