Does the Final Flow log aggregate the previous (non-final) flow logs?

Bobby · July 19, 2017, 3:11pm

Hi, I'm looking to get clarification on what my flow logs are telling me.

For a given request, I'd like to know the total number of bytes that have been sent and received by that request. Currently, I have my period configured for a value > 0, so I'm getting intermediate flow logs whose final flag is set to false. Questions related to this:

For each of those flow logs, do the "net_bytes_total" fields report bytes sent and received since the last flow log? Or is it reporting the total bytes sent and received since the "start_time"?
Same question for the flow log where final is set to true. Do the "net_bytes_total" fields report bytes sent and received since the last (non-final) flow log? Or is it reporting the total bytes sent and received since the "start_time"?
If I set my period to -1, I only get the final logs. Will that guarantee the net_bytes_totals represent the total bytes sent and received since the "start_time"?

Thanks!

andrewkroh · July 19, 2017, 9:10pm

See the flow documentation. The note at the end of the page answers most of your questions.

The net_bytes_total in all events is the total bytes for the flow (aggregate) since the start.

Bobby · July 19, 2017, 9:38pm

Hi Andrew,

I've read that page. What I'm unclear on is the scope of the aggregate. For all flow logs, (regardless of whether or not the final flag is set), does net_bytes_total reflect the total bytes for the flow since the timestamp indicated in the start_time field?

andrewkroh · July 19, 2017, 9:40pm

Yes.

system · August 16, 2017, 9:40pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.