Final=true filter vs. traffic data discrepancy

learner · January 9, 2018, 10:55pm

Hi,

I'm using Packetbeat to capture traffic between hosts, as below, with the filter "final=true".

Just downloaded a 2.4 GB file and it indeed appeared in my query for the last 15m, which is good.

But, if I query for the last 4h, my entry does not show up at all any longer, while other hosts that transferred only 500MB, 100MB, etc. appear during the last 4h.

What I expected was to see my entry appearing in 15m, 30m, 1h, and even in 4h, because my 2.4 GB download is supposed to be the heaviest traffic for the last 4h.

Could an expert please explain this behavior so that it'd make sense?

Thanks.

Young

steffens · January 10, 2018, 12:16pm

So your capturing flow information only?

Obviously the data are available in Elasticsearch. Don't think this is related to beats, but some filters/configs in Kibana.

In kibana 1. use the discovery tool, 2. set time-range that contains your download 3. open one document and select some fields to create a tabular overview (include source.stats.net_bytes_total in this list). 4. Use tabular view to sort entries by size -> entry should be shown.

learner · January 10, 2018, 5:26pm

Hi Steffen,

I'm trying to see all the data points from 4h ago through now in Kibana by default, not by each time manual configuration change.

So that my data point from 5m ago still appears in my query for 12h, if that data point is high in the rank?

Maybe, Is it possible to do it by changing some option under Management > Advanced Settings?

Thanks.

Young

steffens · January 11, 2018, 1:07pm

I moved the topic to the Kibana forum.

system · January 30, 2018, 10:55pm

This topic was automatically closed after 21 days. New replies are no longer allowed.