Help with index patterns used in netflow

I've setup elastiflow on my ELK Stack to serve as a netflow collector, but I noticed visualizations showed different data to what I expected, then I realized kibana was using flow.client_hostname index pattern as the field to show the data, when what I expected to use was flow.src_hostname.

I've change the fields used in the graphs, but I'm really curious what would be the difference between flow.client_hostname and flow.src_hostname .

I expect the source IP address from that particular flow to be the "client" in that conversation, if thats not the case what's the logic behind this fields "flow.client_hostname/flow.server_hostname/flow.autonomous_system".

I've checked on Management section but all I can find is that these indexes are String.

I am going to move this to the Logstash topic - someone there should be able to describe the difference between flow.client_hostname and flow.src_hostname

1 Like

@gsantiago please open an issue and ask this question on the ElastiFlow repository and I will answer it there.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.