I configured timelion to graph network usage (in Mbps) for all HTTPS traffic. The timelion expression is :
.es(q="observer.ingress.interface.name:Untrust-4 and destination.port:443",index="fw-*",timefield="@timestamp",metric="sum:destination.bytes").divide(125000).scale_interval(1s).label("Mbps IN"),
.es(q="observer.ingress.interface.name:Untrust-4 and destination.port:443",index="fw-*",timefield="@timestamp",metric="sum:source.bytes").divide(125000).scale_interval(1s).label("Mbps OUT")
The "divide" is taking the bytes from the firewall, multiply by 8 (to get bits) and divides by 1000000 (to get the Megabits).
The graph looks nice, but the scale is completely off. Like : 80Gbps of bandwidth used where the size of the physical links is way less than that.
Most the time Bytes In / Bytes Out are recorded as monotonically increasing counters so you would have to do a derivative to get a rate. Perhaps this is the issue. I am not a timelion expert so I can't help you there.
However both Lens and TSVB have a Counter Rate aggregations / derivatives built in to perform this operations perhaps take a look at them. Lens is a bit easier but TSVB provides more flexibility.
Here is an example in TSVB complete with scaling of the Bytes etc.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.
