Hi All,
I'm using ELK 7.1 and Netflow v.5 to gather and visualize Netflow data in our environment. All features and dashboards are working correctly. However I'm trying to create a graph that displays the bandwidth being used between 2 ip address (BOVPN). Can somebody help me with the KQL code?
Thank you very much
I'm not familiar with the Netflow module, could you help me understand what the documents look like? Does each individual document have some sort of bandwidth field? Do you just want to add together the bandwidth use of two specific ip addresses?
Hello Bargs,
first of all thank your for your time and attention on it.
I'd like to sum the total bytes transferred between 2 ip's (they're my BOVPN gateway). Netflow has a few fields related to the flow and a few fields related to the geoip. here are the netflow fields.
indent preformatted text by 4 spaces
|netflow.bytes|616|
|netflow.direction|ingress|
|netflow.dst_addr|1.1.1.1|
|netflow.dst_as|0|
|netflow.dst_locality|public|
|netflow.dst_mask_len|0|
|netflow.dst_port|60433|
|netflow.dst_port_name|TCP/60433|
|netflow.engine_id|0|
|netflow.engine_type|0|
|netflow.first_switched|Jul 20, 2019 @ 12:15:07.836|
|netflow.flow_locality|public|
|netflow.flow_records|30|
|netflow.flow_seq_num|14,553,060|
|netflow.input_snmp|10|
|netflow.ip_version|IPv4|
|netflow.last_switched|Jul 20, 2019 @ 12:15:07.944|
|netflow.next_hop|0.0.0.0|
|netflow.output_snmp|65535|
|netflow.packets|5|
|netflow.protocol|6|
|netflow.protocol_name|TCP|
|netflow.sampling_algorithm|0|
|netflow.sampling_interval|0|
|netflow.src_addr|2.2.2.2|
|netflow.src_as|0|
|netflow.src_locality|public|
|netflow.src_mask_len|0|
|netflow.src_port|443|
|netflow.src_port_name|TCP/443 (https)|
|netflow.tcp_flag_tags|PSH, ACK|
|netflow.tcp_flags|24|
|netflow.tcp_flags_label|PSH-ACK|
|netflow.tos|0|
|netflow.version|Netflow v5|
|tags|_geoip_lookup_failure|
|type|netflow|
thank you
I feel like I might not be fully understanding your request, but if you just want to match docs that are going from one particular IP to another, you could just do:
netflow.src_addr:2.2.2.2 and netflow.dst_addr:1.1.1.1
Hello Bargs,
Sorry if I wasn't clear on my question. What I'd like to have is a graph to monitor our Branch Office VPN that is connected between our main office (IP: 1.1.1.1) and our DR (IP:2.2.2.2). I'd like to see one graph like this but instead of flow records, I'd like to see it in bytes. By the way, I'm running ELK 7.2.
Thank you very much for your attention
Bargs,
That worked perfectly.
Thank you very much for all your help.
1 Like
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.