This discussion has been locked. The information referenced herein may be inaccurate due to age, software updates, or external references.
You can no longer post new replies to this discussion. If you have a similar question you can start a new discussion in this forum.

How to fetch Total Ingress & Egress Bytes for Orion.NetFlow.IPAddressGroups using SDK

Hi All,

I have SWQL Studio and NTA installed. I created multiple IP Address Group and would like to get Ingress and Egress Bytes for a particular IPAddressGroup using SWQL Studio. What are the inputs that I should give in the SWQL Query to fetch Ingress and Egress Byte count:

 

This is the SWQL on right side pane from Orion.NetFlow.IPAddressGroupsConversationsTop:

SELECT ConversationID, SourceIPGroupID, DestinationIPGroupID, SourceIPGroupName, DestinationIPGroupName, NodeID, InterfaceID, TotalBytes, TotalPackets, TotalBytesIngress, TotalBytesEgress, TotalPacketsIngress, TotalPacketsEgress
FROM Orion.NetFlow.IPAddressGroupsConversationsTop

WHERE SourceIPGroupName='Airoli-Axis'

I am getting the below output when execute the SQL Query:

"The parameters 'Filter,Limit,Topkey' are missing for entry Orion.NetFlow.IPAddressGroupsConversationsTop"

Does anyone tested with the above and help me out.

 

thanks in advance

Arun

  • Hi Arun,

    These queries are not as user friendly as others, because some NTA schemas are intended for internal use only. They're designed to be called from our framework on the web. The syntax differs based of NTA version:

    Here is query for NTA 3.8:
    SELECT GroupID, GroupName, NodeID, InterfaceID, TotalBytes, TotalPackets, TotalBytesIngress, TotalPacketsIngress
    FROM Orion.NetFlow.IPAddressGroupsTop(Filter='NSF:T:2012-02-23T06:42:00~2012-02-23T07:40:00;FD:Ingress;G:6', Limit=5, Rx=True, Tx=True, TopKey='')
    --Explanation of the parameters:
    Filter:
                    T: Time Period Filter with following parameter:
                           [string]  can be one of followings:
                                 1. Time range in UTC format FromUtc~ToUtc. (like on example)
                                2. Relative time period like Last 15 minutes (T:Last 15 minutes)                                     
                    FD: Flow Direction filter with following options: [Ingress / Egress / Both]
                    G: [int array] IP Address group filter. Can contains one or more IDs of IPGroups. E.g.: G:6,5,1 shows data just for IP Groups 6 or 5 or 1.
    Limit:
                    [int] - It’s limit of returned rows (like top X)
    Rx, Tx:
                    [Bool] – Show data for Rx and/or Tx. One of those values has to be always true!
    TopKey:
                    [string] – Show data just for this key (IpGroupID in this case)

    Here is query for NTA 3.9:
    SELECT GroupID, GroupName, NodeID, InterfaceID, TotalBytes, TotalPackets, TotalBytesIngress, TotalPacketsIngress
    FROM Orion.NetFlow.IPAddressGroupsTop(Filter='NSF:TD:2012-02-23T06:42:00~2012-02-23T07:40:00,1,True,True;FD:Ingress;G:6', Limit=5, Rx=True, Tx=True, TopKey='')
    There's only one difference in T parameter, in 3.9 we use TD instead of T. The main difference between T and TD is that TD doesn’t support relative time periods and always require absolute time period in UTC format. And also requires some another parameters to specify what we want from data storage more precisely.
    TD has following definition:
                    TD: Time Period Filter with following parameters:
                           1. [string] - Time range in UTC format FromUtc~ToUtc. Here can’t be relative time frame like Last 15 minutes
                           2. [int] - Sample / Granularity in minutes. 1 means 1 minute granularity of returned data.
                          3. [bool] – InlcudeEndTime. Determines if last interval will be included in returned data
                           4. [bool] – CanUseAggregated – Determines if the data can be returned from aggregated data if possible (like Endpoints, Applications, …). For IP Groups this is ignored.

    Hopefully it helps, if something is still unclear I’ll be glad to explain.

    Mentioned NTA schemas aren’t unfortunately intended as a public API. They are designed for internal purposes as a layer between DB and Web. Those NTA SWIS schemas can be changed significantly any time without any limitation. That’s a reason why there isn’t any public documentation for those schemas.

    Regards,

    Martin

  • Hi Martin,

    I realize this is quite an old post. However, It seems the only one that could help me resolve the following query:

    pastedImage_0.png

    Based on the error, and what you have explained above, could you please tell me the syntax for the conversation filter, something like C:?

    Your help would be really appreciated.

    Regards

    Paolo.

  • It's been a while, but based on the error message I think you're on the right track. Try adding conversation (C:) filter as follows:

    (Filter='NSF:C:127000000001-192168001001;TD:2017-11-22T00:00:00~2017-11-23T00:00:00,1,True,True')

    The two large numbers are encoded IP addresses of conversation endpoints. Encoding is simple: remove dots and zero-pad each IP part to triplet. In the example above, decoded IPs are 127.0.0.1 and 192.168.1.1.