This show me a graph' of my Netflow informations. It aggregates on netflow.bytes and split on src_port_name:10, keeping only the top 10.
The problem is that in my top 10 i have the 10 protocols that "appears" the most in the index, but i would like the top 10 protocols in terms of Bytes (so after the aggregation).
It means that if i do a single connection on an unusual port with a LOT of trafic (Bytes), it will only generate a single flow (= log line) and i won't appear on the top 10. On the other hands, protocols that are doing a lot of flows (eg DNS) but very few Bytes will appear in the top 10.
If someone understand the issue, i would like to get advices to have the correct behavior
Hi, this is about having the buckets of a terms aggregation sorted by a metric sub-aggtregation instead of the doc_count of the bucket. Unfortunately, Timelion does not support this at the moment.
However, the Time Series Visual Builder visualization can do this. Note how I'm able to order by "Sum of metric":
It's sad that Timelion doesn't support it, it looks quite simple.. Hope it'll be supported in the future.
Your solution looks promising, now i have the right Top 10 with TSVB!
But i still have a problem : "sum:netflow.bytes" just compute the total of bytes per protocols. After that, i would like to get the bytes**/seconds**. Since my interval is 1minute, i must divide the values by 60.
In Timelion, this is done by .scale_interval(1s), but i don't find the equivalent in TSVB.
I would also like to transform those Bytes/sec into Bits/sec.
Is there a way to do this in TSVB? I tried Custom Data Formatter with Numeral.js operation like .divide() but it doesn't seems to work.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.
