Hi All,
I'm sending flexible netflow with nbar application recognition from a cisco ios router to filebeat netflow module, which stores direct to elasticsearch (not via logstash)
The netflow data arrives something like:
action: network_flow
netflow.source_ipv4_address: 10.1.1.5
netflow.source_transport_port : 2048
netflow.destination_ipv4_address: 10.2.1.6
netflow.destination_transport_port: 443
netflow.application_id : 3, 0, 1, 187
network.bytes : 200
You can see here that nbar has given the flow the application_id "3, 0, 1, 187", which doesn't really help me when reporting.
Occasionally the router will send it's application-table, which shows up as:
action: netflow_option
netflow.options.application_id: 3, 0, 1, 187
netflow.options.application_name: secure-http
netflow.options.application_description: Secured HTTP
How do I go about getting a report like sum(network.bytes) per 'application_description'