How to find bandwidth usage from netflow data

Elastic Stack Kibana
1

I want to display bandwidth usage as on x-axis timestamp and on y-axis data usage in mbps.
I have netflow v5 data. How should I do this?
Thank you.

2

Is the data in Elasticsearch?

3

yes, data is in elasticsearch

 "@timestamp": "2016-10-01T18:14:24.000Z",
    "netflow": {
      "version": 5,
      "flow_seq_num": 122645,
      "engine_type": 0,
      "engine_id": 0,
      "sampling_algorithm": 0,
      "sampling_interval": 0,
      "flow_records": 6,
      "ipv4_src_addr": "10.0.0.20",
      "ipv4_dst_addr": "10.0.0.31",
      "ipv4_next_hop": "0.0.0.0",
      "input_snmp": 8,
      "output_snmp": 1,
      "in_pkts": 1,
      "in_bytes": 64,
      "first_switched": "2016-10-01T18:13:24.000Z",
      "last_switched": "2016-10-01T18:14:24.000Z",
      "l4_src_port": 5246,
      "l4_dst_port": 80,
      "tcp_flags": 0,
      "protocol": 17,
      "src_tos": 1,
      "src_as": 20,
      "dst_as": 13,
      "src_mask": 32,
      "dst_mask": 31

I want to add "in_bytes" received per second. And also want to edit y-axis label in kibana linechart

4

Ok, so have you built a line graph yet?

5

Yes, I have done that. But I want to display customized label on y-axis like data usage in Mbps.
How to do this?

6

Saurabh, Did you calculate the bandwith from 'in_bytes'?
I just sum the values from 'in_bytes', but that not the real bandwith utilization, there is more math to calculate.

If I solve it, i will publish it =)
diego

7

Timelion has a function called scale_interval which I often use to get rates per time interval.

8

Christian, please an example for the newbies :slight_smile:
Something like this you mean ?

.es('Hostname:r123', metric='sum:in_bytes').scale_interval(30s) show me zero...
I want to get bytes traffic filter by host.

Thanks

9

Assuming we have a logstash* index patterns that contains web access logs and the size of each request is stored in a numeric field called bytes, the following expression shows downloaded volume as MB/s: .es(index=logstash*, metric='sum:bytes').divide(1048576).scale_interval('1s').title('MB per second')

1 Like
10

Thanks a lot !!!!

11

Hi Christian,

Its wonderful update but is that MB/s or MB/minute ,am confused :slight_smile:

Thanks,
Raj

12

There seems to be a typo there and the interval should indeed be 1s in order to get per second value. Have updated the interval as well as the title.

1 Like
13

Gotcha :slight_smile: Thank you for the response

14

One Query Christian,if I want in mbps ,can i multiply with 8

.es(index=logstash*, metric='sum:bytes').divide(1048576).scale_interval('1s').title('MB per second') ,how can use that function in this query

15

I guess you could divide by 131072 instead of 1048576.

16

Thank you :slight_smile: