Created a Kibana visualization counting the sum of packets from a source.ip to a destination.ip over time. There are documents from each host.hostname (source and destination) in the data set. When analyzing the counts in a spreadsheet and sorting the data by hostname I expected to see some similarity in the counts for a given time interval between packet counts reported by each of the two hostnames.
Instead there is a large difference: the packet counts reported by one hostname are as many as three times as large as those for the same time interval reported by the other.
I do not understand the difference. Am I not interpreting the data correctly? Any insight is appreciated. Thank you in advance.