Timelion - How to calculate and viszualize " Mbps " using netflow data

Elastic Stack Kibana
1

Hi All,
Currently am using Logstash , Elasticsearch & Kibana to gather and visualize Netflow data from few of our gateway routers.
With Netflow data am receiving " netflow.in_bytes " filed which contains the bytes of data. I was trying to put that data in to a timelion and using the following function to calculate the Mbps.

But the output am getting is not accurate. Can anyone advise me on this ?

Blockquote
.es(timefield=@timestamp, metric=sum:netflow.in_bytes).derivative().multiply(8).divide(1048576).divide(60).lines(fill=2, width=1).color(green).label("Inbound traffic").title("Network traffic (MB/s)")

2

Any help ?

3

If you are starting with bytes, you just need to divide by 1000000 to get megabytes.

4

In what way is the result not accurate?

When I have calculated volume per second I have not used the 'derivative' funktion and have replaced 'divide(60)' by the 'scale_interval' function, which can adapt to changing aggregation intervals, as described in this thread.

5

Thanks tyler,
converting in to MB can be done using devide() function. But by using "netflow.in_bytes" the out come is not accurate .

6

Dear Christian,
Thanks for the update!!!
I have tried the function mentioned in that thread but the out come is not accurate.

Blockquote
.es(index=logstash*, metric='sum:bytes').divide(1048576).scale_interval('1s').title('MB per second')

I have used the it as below.

Blockquote
.es(index=logstash*, metric='sum:netflow.in_bytes').divide(1048576).scale_interval('1s').title('MB per second')

7

In what way is it not accurate? What are you comparing it to?

9

Sorry for the late reply !!!
Following is my timelion function. Am collecting Netflow data from few sources and I want to calculate the Bandwidth usage ( MBps ) subnet wise.

Blockquote
.es(index=logstash*, metric='sum:netflow.in_bytes').divide(1048576).scale_interval('1s').title('MB per second')

10

That does not really answer any of the questions I asked, so I am not sure how I can help further.

11

Sorry !!!
It's like this , I want to know the usage ( MBps ) of a subnet ( eg: 192.168.0.0/24 ). This subnet is devided in to /29's and given to some other devices.

I have a CACTI system which will record the individual usage of devices.

When I apply the above timelion function the output I get is not even approximately close to what I see in CACTI.

Please let me know any other info you needed.

12

Is your CACTI system based on the same data you are recording in Elasticsearch? Is the granularity the same?

13

No it collect data via SNMP.

14

How large is the difference? Does it shrink if you average out over a longer period? Are you able to see if the raw data used contain the same data?

15

Am checking it for a 15min window.

Both systems showing totally different values. CACTI system normally closed to actual usage of that device. on the the other hand Timelion showing irrelevant info.

Am not think it's shrink or anything....

I didn't get the last question , can you explain how I can check it ?

16

I do not know how you would check the underlying data in your CACTI system and compare this to the data reported to Elasticsearch. Can you show us what the data looks like and how large the difference is?

17

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.