Decreasing total

How does it happen that the packetbeat metric dest.stats.net_bytes_total (or in some cases source.stats.net_bytes_total) is not monotonic within a particular flow over time?

I.e. this looks weird:

This feels like a bug. Does anyone from the Beats team want to comment?

Flows work at the packet level and are not aware of connections. For this reasons flow must time out in order to not leak memory. Normally the flow.final field is set in this case. The default timeout is 30s. The scrneeshot shows that numbers didn't change in the last few documents before the 'reset'.

You can increase the timeout via packetbeat.flows.timeout.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.