Timelion - How to calculate and viszualize " Mbps " using netflow data

Methsri_Wickramarath · December 28, 2017, 6:04am

Hi All,
Currently am using Logstash , Elasticsearch & Kibana to gather and visualize Netflow data from few of our gateway routers.
With Netflow data am receiving " netflow.in_bytes " filed which contains the bytes of data. I was trying to put that data in to a timelion and using the following function to calculate the Mbps.

But the output am getting is not accurate. Can anyone advise me on this ?

Blockquote
.es(timefield=@timestamp, metric=sum:netflow.in_bytes).derivative().multiply(8).divide(1048576).divide(60).lines(fill=2, width=1).color(green).label("Inbound traffic").title("Network traffic (MB/s)")

Methsri_Wickramarath · December 28, 2017, 4:39pm

Any help ?

tylersmalley · December 29, 2017, 4:54am

If you are starting with bytes, you just need to divide by 1000000 to get megabytes.

Christian_Dahlqvist · December 29, 2017, 5:10am

In what way is the result not accurate?

When I have calculated volume per second I have not used the 'derivative' funktion and have replaced 'divide(60)' by the 'scale_interval' function, which can adapt to changing aggregation intervals, as described in this thread.

Methsri_Wickramarath · December 29, 2017, 6:28am

Thanks tyler,
converting in to MB can be done using devide() function. But by using "netflow.in_bytes" the out come is not accurate .

Methsri_Wickramarath · December 29, 2017, 6:34am

Dear Christian,
Thanks for the update!!!
I have tried the function mentioned in that thread but the out come is not accurate.

Blockquote
.es(index=logstash*, metric='sum:bytes').divide(1048576).scale_interval('1s').title('MB per second')

I have used the it as below.

Blockquote
.es(index=logstash*, metric='sum:netflow.in_bytes').divide(1048576).scale_interval('1s').title('MB per second')

Christian_Dahlqvist · December 29, 2017, 9:20am

In what way is it not accurate? What are you comparing it to?

Methsri_Wickramarath · January 4, 2018, 6:01am

Sorry for the late reply !!!
Following is my timelion function. Am collecting Netflow data from few sources and I want to calculate the Bandwidth usage ( MBps ) subnet wise.

Blockquote
.es(index=logstash*, metric='sum:netflow.in_bytes').divide(1048576).scale_interval('1s').title('MB per second')

Christian_Dahlqvist · January 4, 2018, 6:22am

That does not really answer any of the questions I asked, so I am not sure how I can help further.

Methsri_Wickramarath · January 4, 2018, 9:23am

Sorry !!!
It's like this , I want to know the usage ( MBps ) of a subnet ( eg: 192.168.0.0/24 ). This subnet is devided in to /29's and given to some other devices.

I have a CACTI system which will record the individual usage of devices.

When I apply the above timelion function the output I get is not even approximately close to what I see in CACTI.

Please let me know any other info you needed.

Christian_Dahlqvist · January 4, 2018, 9:59am

Is your CACTI system based on the same data you are recording in Elasticsearch? Is the granularity the same?

Methsri_Wickramarath · January 4, 2018, 11:54am

No it collect data via SNMP.

Christian_Dahlqvist · January 4, 2018, 12:10pm

How large is the difference? Does it shrink if you average out over a longer period? Are you able to see if the raw data used contain the same data?

Methsri_Wickramarath · January 5, 2018, 8:39am

Am checking it for a 15min window.

Both systems showing totally different values. CACTI system normally closed to actual usage of that device. on the the other hand Timelion showing irrelevant info.

Am not think it's shrink or anything....

I didn't get the last question , can you explain how I can check it ?

Christian_Dahlqvist · January 5, 2018, 8:54am

I do not know how you would check the underlying data in your CACTI system and compare this to the data reported to Elasticsearch. Can you show us what the data looks like and how large the difference is?

system · February 2, 2018, 8:55am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.