Dont count sources bytes and destinations bytes in filebeat netflow

hi everyone

PLZ help me

i have ELK 8.17 (elasticsearch-logstech-kibana-filebeat) and send netflow from router to filebeat and recive all of netflow in ELK but dont count sources bytes and destinations bytes!!!
and just collect source and destinations port!!

why source ip and destination ip have error?

Hi @Komeyl_Pouya Welcome to the community...

First I am curious why are you running Filebeat -> Logstash -> Elasticsearch instead of just Filebeat->Elasticsearch ?

Are you following 3rd party documentation?

I generally recommend Filebeat->Elasticsearch first ... WHY because logstash adds extra complexity (may not add any value) and if you do not do everything right... then the correct mappings and pipelines / parsing are not applied. Then the data and the mappings and dashboards might not work right...

So my suggestion is clean everything up and get Filebeat -> Elasticsearch working first using the netflow modules

Following the steps in the Filebeat quick start and use the netflow module instead of the ngnix modules

That is my suggestion...

1 Like

tank you for advice and quick response,
i tired output filebeat in filebeat.yml put on Elasticsearch and its workd.

but dont show complete all of box doshboard.

the following is an image of empty graphs.
[ Source (bytes) {filebeat netflow} ]

Did you clean up all the existing indices and run the setup command? As shown in the quick start.

Also you will need to look at your raw Netflow logs and check sample documents in Discover... To see if the data is there

Share a sample document.. the full json

Seems like the source bytes are there.. why that one Viz is missing.. perhaps go to edit mode and take a look... Could be a simple bug in those 2 Viz

Hmm I don't even remember what those 2 graphs are supposed to be... I will need to find some sample data tomorrow and take a look