I tried using Packetbeat to make a dashboard to show how much GB/m or TB/h transferred between various hosts in LAN and other hosts in and out, whether between internal hosts or between internal and external hosts.
When I use source.stats.net_bytes_total and dest.stats.net_bytes_total as sum metrics, I cannot convince myself about the cumulative TB/h that came up, as our WAN bandwidth has no way to be able to transfer the number of TB/h that the dashboard shows.
What would be the fields to use to show MB/GB/TB transferred per minute and hours?
Or, am I doing wrong to capture what I want to get using the wrong aggregation type (sum), maybe?
If you want to aggregate sums of traffic, you need to filter on final:true, or use some other technique, so that you get only the latest update from each flow. You can disable intermediate reports by setting period: -1s.
That's it. I'm now convinced with the bytes transferred after adding that filter to use final:true.
So, just to confirm, if final:false, I guess it's cumulative from the very beginning of the time when the Packetbeat started collecting the packets and if final:true, only for the time duration specified (e.g., last 4 hours, last 12 hours, etc.)?
If you do not filter out events where final: false then you are summing up the amount of bytes contained in each flow update. And the number of bytes contained in each update is a summation since the flow started. For example:
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.
