[NETFLOW][TIMELION] Bandwitch with netflow packet

Bruno1 · March 11, 2020, 8:05am

Hello,

I Want the timelion bandwitch, but the number of bytes is by connection not by second.

Ex: The connection beetween 192.168.0.1:80 and 192.168.0.1:54220 have begin at 10:00 am and end at 10:05 am. The total of bytes communication is 250 bytes.

Exemple with values of 2 packets :

Packet 1 :
event.start: 10:00
event.end: 10:04
Network.bytes : 250
@Timestamp = event.start

Packet 2:
event.start: 10:10
event.end: 10:03
Network.bytes : 600
@Timestamp = event.start

Me I want the timelion like :

10:10 = 50 + 200 bytes
10:11 = 50 + 200 bytes
10:12 = 50 + 200 bytes
10:13 = 50
10:14 = 50

Not like :

10:00 : 250 + 600 bytes
10:11= 0
10:12 = 0
10:13 = 0
10:14 = 0

lukas · March 11, 2020, 5:31pm

Unfortunately I don't think you can accomplish this in Kibana before we support scripted metrics. See https://github.com/elastic/kibana/issues/2646

Bruno1 · March 12, 2020, 8:13am

Hello,

Thanks for you reply, I have found a bypass solution.

It's not optimized but that works.

I use the plugin logstash-filter-ruby on logstash for build 2 news fields:
1 field with the bandwitch by second and an other with all date on the rang.

Example :
bandwitch_by_second : 50
timer : { 10:00, 10:01, 10:02, 10:03, 10:04 }

Source code:

  ruby {
     code => '
     require "date"

     $t1 = DateTime.parse(event.get("[event][start]"))
     $t2 = DateTime.parse(event.get("[event][end]"))
     $t3 = $t2.to_time - $t1.to_time

     event.set("[timer]", [$t1.to_time] )

     if $t3 > 1
       event.set("[network][bytes_by_seconds]", (event.get("[network][bytes]") / $t3).to_i )
       $i = 0
       while $i < $t3 do
         $i += 1
         event.set("[timer]", event.get("[timer]") + [$t1.to_time + $i] )
       end
     else
       event.set("[network][bytes_by_seconds]", event.get("[network][bytes]"))
     end
  '
  }

system · April 9, 2020, 8:13am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.