Hi,
There is not currently in NTA 3.8 not possible to get 95th percentil via WeB UI charts.
However You can create Custom Report by using report writer.
I attached non official 95th percentile reports for IPGroups. Values are presented in (Bytes per seconds) Bps only.
[View:/cfs-file.ashx/__key/CommunityServer.Components.UserFiles/00.00.04.58.27/95-percentile-reports.zip]
Installation of reports:
Copy files with extension OrionReport into reports directory (../Orion/Solarwinds/Reports) on main poller and addtional web sites
Please let me know Your questions, comments about attached reports.
Thanks
Regards radek
Thanks Radekn. This works great. Do you know if there will be support for this type of functionality in the GUI in the future?
Another thing I was interested in using IP groups, but only to track a specific conversation, for example 172.16.1.1 to 192.168.1.1. Is this possible using IP groups right now?
I guess what my question is, how do IP groups work? For example when I enter two subnets in a single group:
172.16.1.1/24
192.168.1.1/24
Does the flow have to match both subnets to fall under this IP group or just one? It seems like there should be a way to specific the logical and or the logical or for the group.
Hi Mattyo,
The 95th percentile on GUI is on the list of customer feature requests.
I attached new 95th percentile IP Groups report which supports IP conversation filter (from Source IP to Destinantion IP).
If you have two subnets in a single group then flow has to match at least one subnet in order to fall under this IP group.
It is the logical OR.
Please let me know any other questions,comments.
Thanks
Regards radekn
[View:/cfs-file.ashx/__key/CommunityServer.Components.UserFiles/00.00.04.58.27/95-percentile-reports-v2.zip]
Hi Radekn,
For the "last month" report, is that using data from the last calendar month (say you ran a report on July 15, it would report on data from June 1 - 30) or is it by the last 30 days (running report on July 15 gets you data from June 15 - July 15) or none of the above?
Thanks,
Matt
Hi Mattyo,
In Your example the "last month" report will show data for whole previous month ( from June 1 - 30 ).
If You want to see a data for last 30 days from June 15 - July 15 than You will need to have a new report prepared.
The new report for last 30 days You can create by copy of the report for the last 7 days and modify (by ReportWriter) start time variable ( from SET @StartTime=GETDATE()-7 to SET @StartTime=GETDATE()-30 ).
Regards
radekn
Hi Radekn,
Another question for you. In looking at the report for live traffic (for the current month). These are the numbers that I am getting:
This is for private addresses.
Ingress Egress Total
36364959 39829696 36364959
This doesn't make sense to me, that the total is equal to ingress traffic. Could you please explain what the total field means and how it is computed?
My setup is 4 Cisco routers with ip flow ingress and egress configured on a single interface (logically the "inside" interface) streaming data to the SolarWinds collector.
Hi Mattyo,
Yes this is a bug of the report. I fixed it and attached new version of the report.
I also added maximum 95th percentile ( the percentile of maximum values from both Ingress and Egress traffic )
Please let me know other questions You have.
thanks
Regards radekn
[View:/cfs-file.ashx/__key/CommunityServer.Components.UserFiles/00.00.04.58.27/95-percentile-reports-v3.zip]
Hi Radekn,
In the new version of the reports the ingress traffic is identical to egress traffic. The total works fine, but I am curious as to why this is happening as I was expecting the traffic to be quite asymmetric (much more traffic going out versus coming in). Any thoughts?
Thanks,
Matt
Hi Mattyo,
Can you send me example screenshot (NTA web page) with is asymmetric traffic, please?
Thanks
Regards Radekn
Hi Radekn,
Here is what the SolarWinds UI is looking like. Router 1 is the Netflow exporter. All the traffic captured in the IP Groups in the 95th percentile ip group report are going through this router. It is thought that ingress and egress traffic are going to look different, rather than identical as in the report. I think a previous version (the one that displayed units only in bps) had different values. The scenario here is that Group 1 has a list of public IP addresses of http servers. We want to know the breakdown of the web traffic for each group of web servers from users coming over the internet.
   Router1 | |||||
Here is an excerpt of the 95th percentile report. It is strange to me that ingress bps and egress bps are equivalent.
| Name | Ingress bps | Egress bps | Total bps | Maximum bps |
|---|---|---|---|---|
| Group 1 | 667.3 Kbps | 667.3 Kbps | 1.3 Mbps | 667.3 Kbps |
| Group 2 | 2950.0 bps | 2950.0 bps | 5900.0 bps | 2950.0 bps |
I also am wondering if it would be possible to get a 95th percentile bandwidth utilization report by IP Group but also by interface for a certain time period.
Hi Mattyo,
For this report there was used IP groups report which puts Source IPs and Destination IPs together by definition.
This does not separate received and transmitted traffic to IP group but it display total traffic=(Received + Transmitted) by IP address group per interface with specific interfaces flow direction (Ingress/Egress).
for example:
communication between two endpoints A and B where A belongs to Group1 will be calculated as :
Group1: A
Communication between two endpoints:
from A to B sent 10 bytes
from B to A sent 10 bytes
-------------------------------
then Group1 total traffic =20 bytes
Group1 acted as source(transmitter) = 10 bytes
Group1 acted as destination(receiver) = 10 bytes
To separate this ( A to B and B to A) there will be needed to modify this report.
Please check link to new reports and let me know if it is what you need.
95th Percentile Bandwidth Utilization using Netflow- IPGroups-Pxx1h
New report mix original report with additional information by source and destination traffic.
It represents three NTA resources "Top XX IP Address Groups", "Top XX Source IP Address Groups" and "Top XX Destination IP Address Groups"
Report presents source/destination and Ingress/Egress traffic.
- Ingress/Egress flow traffic per interface .
- Source/Destination traffic is traffic between two endpoints (source IP and destination IP).
Destination traffic means that Endpoints which belongs to IP address group were receiving traffic from others ( traffic which was sent to IP address group).
For Source traffic it means that Endpoints from IP address group were sending data to others ( traffic received by Group).
Source and Destination traffic is than divided to Ingress and Egress. So there is possible to see Source/Destination traffic via
interfaces in Ingress or Egress flow direction
Report can also display nodes together with interfaces, nodes only or overall summaries. Check report SQL header section for possible filters choices.
Please let me know any other questions.
Regards Radekn
Hi Radekn,
The reports look great. Is there a way to filter on a specific IP Group and interface easily? For example, I have 4 groups for customer A:
Group 1 - web servers
Group 2 - application servers
Group 3 - database servers
Group 4 - Aggregate of Groups 1, 2, & 3 (basically all the IPs of the groups are added together into a single group).
For a financial audience, I want to simply present to them the bandwidth that Customer A used on a certain WAN link. So I want to map Group 4 to the interface of an edge router connected to that WAN link. Basically all this data is already in the report, I just would like to find a way to filter it down so they don't have to make sense of it.
Hi Mattyo,
I modified reports with new parameters InterfaceIDs,GroupIDs. Multiple filter values are identified as comma separated value.
Parameter @ConversationIPs is using comma separated values as well.
So for example to filter report by Your IP groups it will looks like this
SET @GroupIDs= ' Group 1 - web servers,Group 2 - application servers,Group 3 - database servers,Group 4 - Aggregate of Groups '
For Interfaces filter there is used InterfaceID instead of interface caption due to possible duplicated interface caption names.
Regards Radekn
reports are stored here
95th Percentile Bandwidth Utilization using Netflow- IPGroups-Pxx1h
Thanks Radekn. I ran into a issue with the reports. It doesn't seem to be using the new IP Groups I implemented. I see all the old ones but the 4 or 5 new ones I put in are not being reported on (neither 30 days or 7 days). It is happening with both SW servers. Any tips to make it use the current IP Groups in the custom reports?
Hi Mattyo,
Reports will display only IPgroups which are enabled for display in TopXX IP Adress Groups Resourse.
The "Enable display in Top XX IP Address Groups resources" choice in "Edit IP Address Groups" view has to be enabled. You can go there via "Netflow Settings/IP Address Groups/Manage IP Address Groups"
Please let me know if this helped.
Regards Radekn
Hi Radekn,
Again thanks for the info. Your assistance has been invaluable.
Two more quick questions.
Is there a sample interval for these reports or do they operate by all flows the collector receives? I noticed a discrepancy when creating an IP group for ALL TRAFFIC (0.0.0.0 - 255.255.255.255) then viewing the 95th percentile average in the report. This value came back different (lower) than the SNMP sampled (30 min interval) 95th percentile utilization. I'd imagine the sampling could have something to do with the different values (no sampling versus all flows).
Also, is there a way to easily export the report data to MS Excel?
Thanks again,
Matt
Hi Mattyo,
Reports are using 24h interval for bandwith utilization therefore data to last date (23:59 PM of previous date) are the last data included in report.
However NPM 95th percentile report is including today’s data.
When compare the NTA 95th report data with NPM 95th report modify the end date of NPM report to same end date as is in NTA report (replace SET @EndDate = GetDate() within SET @EndDate = CAST((FLOOR((CAST(GETDATE() AS float)+5e-6))) AS smalldatetime) )
Also check if you have 95 top NTA talkers feature set disabled(set to 100). By default the 95 top talkers Feature is set to 95.
Export to excel is possible via ReportWriter.
Thanks
Regards Radekn
Hi Radekn,
I don't understand. Do I want to disable 95 Top talkers or have it enabled?
Matt
Hi Mattyo,
In case You want to compare NTA 95th report with NPM 95th report there will be discrepance because in case you have 95 top talker optimization set to value other then 100. By default it is set to 95 percent. This feature does improve performance by storing only most significant traffic.
So the 95th NTA report is computing daily average bandwith values and is picking only 95th percentile of those values.
Because NPM is using different retention periods you may see differences between two reports.
NPM has following default retention periods
-Detailed statistics retention 7 days
-Hourly statistics retention 30 days
NTA has following default retention periods
-Detailed statistics retention 1 hour
-Hourly statistics retention 24 hours
So for example the NTA 95th report for 30 days and NPM 95 th report may differ because NTA report is using daily averages ( this is by design) and NPM is using hourly averadges+ no averadged detailed data.
It is possible to tweak NTA data to extent retention periods but NTA 95 th report would need to be modified and database server could be overloaded with a lot of data depends on the traffic the NTA is collecting.
Please let me know if you need more Informations.
Regards radekn
Hi Radekn,
Very good response. That clears up a lot of the discrepancy.
So as far as the process of the 95th percentile custom NetFlow report...is this accurate?
NTA collects data on the bandwidth usage in bps for an IP Group. Since top talker optimization is enabled it is computing these averages based on 95% of total traffic.
It aggregates and caches that data daily because it cannot retain detailed statistics for more than a day. For the month of February it keeps in its database values for Feb 1, 2, 3, 4 all the way to the 29th per IP group (or maybe it doesn't keep them explicitly in the database, but it has a way to compute the value).
When I call up a report on March 2nd for 95th percentile netflow by IP Group for February, it computes these averages, as mentioned above, puts them in high to low order (by day I guess?) and throws out the top 5% of them. It then reports the highest value remaining in the report. It does this for each IP Group.
Is that accurate? So in essence it is a 95th percentile report on the daily averages of bandwidth utilized based on 95% of the data? If not please let me know. Also, if it is easier to explain over the phone could you send me a PM with your # or I can send you mine and we can talk about it? I really would like to understand this process.
Hi Mattyo,
Yes this is accurate, it computes daily averages in low order and from top 95 percent it pick the maximum value.
By default( with top talker optimization 95%) the daily collapsed data shows 95 percent traffic in DB, I did not consider that before.
So with this default option the 95% report will display max of top95%( daily95%).
for example: for period March 2,3,4,5,6 ..
So in case top talkers optimization is 100 the results are:
max from top 95%( sum(March2),sum(March3),sum(March4),sum(March5),sum(March6),..)
in case top talkers optimization is 95:
max from top 95%( sum(95%March2),sum(95%March3),sum(95%March4),sum(95%March5),sum(95%March6),..)
It would be probably better to modify report to throw max value only in case of top talker optimization is switched to 95 percents ( this is default value).
so it would look like this
max from ( sum(95%March2),sum(95%March3),sum(95%March4),sum(95%March5),sum(95%March6),..)
in case user will have top talker would be 100 then old way would be used in report.
Please let me know if you want made this modification.
thanks
Regards Radekn
Something tells me that modifying top talkers to 100% and using the existing report will not yield the same results as leaving the top talker at 95% and modifying the report. What do you suggest? I am leaning towards setting top talker to 100% so I get all the data and let the report handle 95th percentilization of the result.
Your thoughts?
Matt
Hi Matt,
Yes, You are correct. The top talkers optimization writes into DB 95% of all traffic (IPgroup 1+IPgroup2+..+IPgroupN).So to have top talkers on 100% will be correct in the case of executing 95% Percentile report.
Please let me know any other questions.
Regards
Radek
