Difference between Meraki dashboard and netflow graph

Elastic Stack Kibana
1

I need to understand why I have difference between my Meraki dashboard and Kibana graph.

This graph, from the Meraki dashboard, is related to one client. The max usage is 1,2Mbit/s :

kibana1
kibana1.png1188×290 28.5 KB

The same graph from Kibana :

kibana2
kibana2.png2254×362 41.1 KB

The peak reported is 41676 MB/s... It's not possible.

This timelion use the next expression :

.es(index=filebeat-*, metric='sum:network.bytes').mvavg(3m).divide(1024).scale_interval(1s).title('MB per second')

This expression come from an example found on the forum.

Below the values collected from netflow :

Kibana3
Kibana3.png1546×1348 196 KB

Where is the issue ? Why I need to divide the value by 1024 (I received and I want the value in MB).

2

Hey @jquintard, which version of Kibana are you using?

3

7.4.0 I think it's the latest.

4

@Brandon_Kobel do you have an idea about this issue ?

5

The documentation (Network fields) specifies the field "network.bytes" is the sum of "source.bytes" and "destination.bytes".

In my case this fields are missing. I have only this values :

  • netflow.octet_delta_count
  • netflow.packet_delta_count
  • netflow.post_octet_delta_count
  • netflow.post_packet_delta_count

On the other side, Meraki specifies (Meraki netflow overview) the netflow template sent and specially two field used to collect bytes :

  • bytes
  • out_bytes

I don't understand why I have differents values, the relationship between them and how the network.bytes is calculated. Is this possible to have some explication about this ?

6

Hey @jquintard, can you confirm that the network.bytes field is a number? If so, it will be storing the number of bytes itself. Timelion currently ignores the Kibana index-pattern field formatters so if you'd like to convert from bytes to kB or mB in Timelion, you'll have to do this yourself.

7

@Brandon_Kobel, it's a number. But I think you have not understand my problem (my poor English probably). I have not an unit issue, I known how to divide the number in timelion. It's just the bytes from the two sources (meraki dashboard and kibana) are not the same (or approximately the same).

Example from the previous screenshot :

At 12AM
Meraki : around 1,2 Mb/s so 0,15MB/s
Kibana : around 41 676 MB/s

From 0,15MB/s to 41 675 MB/s the gap is huge.

I dont understand why 41 675 MB/s (it's just impossible).

The previous graph on the thread but with only one minute of data. I receive 22 flow. The first give 68,8MB, the last 137,2MB so in 1 minute, 137,2 - 68,8 = 68,4MB of data are received/send by the interface. The bandwidth is therefore 68,4 / 60 = 1,14MB/s...

Kibana3
Kibana3.png2686×1636 248 KB

Now a timelion just with a divide (1024 x 1024). Instead of 137,2 MB on the last flow, timelion give 1335MB (so x10 but why 10 ???).

kibana4
kibana4.png1956×270 40.9 KB

The same timelion in an mavg of 1 minute and a scane interval of 1s. The graph display 34MB/s.

kibana5
kibana5.png1774×268 26.4 KB

So why this differences ?

8

@Brandon_Kobel no idea about this issue ? It's a problem with Filebeat/netflow ? the kibana configuration ? the Meraki dashboard ?

9

Hey @jquintard, the following discuss post walks you through how to calculate bytes per second using netflow data and timelion: Bytes per second - Is it possible?

10

@rashid, I'm sorry to ask your help, I have read the post, specified by brandon, but it's allready I do. Do you know why I have a big huge between what I see in my meraki dashboard and you I got in kibana... How I can troubleshoot. Thanks your help.

11

Really no idea ? @rashid @Brandon_Kobel

12

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.