This discussion has been locked. The information referenced herein may be inaccurate due to age, software updates, or external references.
You can no longer post new replies to this discussion. If you have a similar question you can start a new discussion in this forum.

95th Percentile Bandwidth Utilization using Netflow

I have a customer that is interested in obtaining 95th percentile values in Kbps/Mbps using the NTA product.  The catch is that they would like to do it per IP group. 

For example, they would like to get a single value for 95th percentile bandwidth inbound to 172.16.1.0/24.

Is there any way to do this using the product?

Thanks,

Matt

Parents
  • Hi,

    There is not currently in NTA 3.8 not possible to get 95th percentil via WeB UI charts.

    However You can create Custom Report by using report writer.

    I attached non official 95th percentile reports for IPGroups. Values are presented in (Bytes per seconds) Bps only. 

    95 percentile reports.zip

     

    Installation of reports:

    Copy files with extension OrionReport into reports directory (../Orion/Solarwinds/Reports) on main poller and addtional web sites

     

    Please let me know Your questions, comments about attached reports.

     

    Thanks

    Regards radek

  • Thanks Radekn.  This works great.  Do you know if there will be support for this type of functionality in the GUI in the future? 

    Another thing I was interested in using IP groups, but only to track a specific conversation, for example 172.16.1.1 to 192.168.1.1.  Is this possible using IP groups right now? 

    I guess what my question is, how do IP groups work?  For example when I enter two subnets in a single group:

    172.16.1.1/24

    192.168.1.1/24

    Does the flow have to match both subnets to fall under this IP group or just one?  It seems like there should be a way to specific the logical and or the logical or for the group.

  • Hi Mattyo,

    The 95th percentile on GUI is on the list of customer feature requests.

    I attached new 95th percentile IP Groups report which supports IP conversation filter (from Source IP to Destinantion IP).

    If you have two subnets in a single group then flow has to match at least one subnet in order to fall under this IP group.

    It is the logical OR.


    Please let me know any other questions,comments.

    Thanks

    Regards radekn
    95 percentile reports v2.zip

  • Hi Radekn,

    For the "last month" report, is that using data from the last calendar month (say you ran a report on July 15, it would report on data from June 1 - 30) or is it by the last 30 days (running report on July 15 gets you data from June 15 - July 15) or none of the above?


    Thanks,

    Matt

  • Hi Mattyo,

    In Your example the "last month" report will show data for whole previous month ( from June 1 - 30 ).

    If You want to see a data for last 30 days from June 15 - July 15 than You will need to have a new report prepared.

    The new report for last 30 days You can create by copy of the report for the last 7 days and modify (by ReportWriter) start time variable ( from SET @StartTime=GETDATE()-7  to SET @StartTime=GETDATE()-30 ).

     

    Regards

    radekn

  • Hi Radekn,

     

    Another question for you.  In looking at the report for live traffic (for the current month).  These are the numbers that I am getting:

     

    This is for private addresses.

    Ingress           Egress             Total

    36364959    39829696        36364959  

     

    This doesn't make sense to me, that the total is equal to ingress traffic.  Could you please explain what the total field means and how it is computed? 

    My setup is 4 Cisco routers with ip flow ingress and egress configured on a single interface (logically the "inside" interface) streaming data to the SolarWinds collector.

Reply
  • Hi Radekn,

     

    Another question for you.  In looking at the report for live traffic (for the current month).  These are the numbers that I am getting:

     

    This is for private addresses.

    Ingress           Egress             Total

    36364959    39829696        36364959  

     

    This doesn't make sense to me, that the total is equal to ingress traffic.  Could you please explain what the total field means and how it is computed? 

    My setup is 4 Cisco routers with ip flow ingress and egress configured on a single interface (logically the "inside" interface) streaming data to the SolarWinds collector.

Children
  • Hi Mattyo,

    Yes this is a bug of the report. I fixed it and attached new version of the report.
    I also added maximum 95th percentile ( the percentile of maximum values from both Ingress and Egress traffic )

    Please let me know other questions You have.

    thanks

    Regards radekn


    95 percentile reports v3.zip

  • Hi Radekn,

     

    In the new version of the reports the ingress traffic is identical to egress traffic.  The total works fine, but I am curious as to why this is happening as I was expecting the traffic to be quite asymmetric (much more traffic going out versus coming in).  Any thoughts?

     

    Thanks,

    Matt

  • Hi Mattyo,
    Can you send me example screenshot (NTA web page) with is asymmetric traffic, please?
    Thanks
    Regards                Radekn
  • Hi Radekn,

    Here is what the SolarWinds UI is looking like.  Router 1 is the Netflow exporter.  All the traffic captured in the IP Groups in the 95th percentile ip group report are going through this router.  It is thought that ingress and egress traffic are going to look different, rather than identical as in the report.  I think a previous version (the one that displayed units only in bps) had different values.  The scenario here is that Group 1 has a list of public IP addresses of http servers.  We want to know the breakdown of the web traffic for each group of web servers from users coming over the internet.

    Router12/15/12 4:30 PMnever
    GigabitEthernet0/0 · Outside/ISP interface4.49 Mbps11.01 Mbps2/15/12 4:31 PMnever
    GigabitEthernet0/1 · Inside Interface11.07 Mbps4.74 Mbps2/15/12 4:31 PMnever
    Tunnel1 · VPN Tunnel 162.92 Kbps6548.09 bps2/15/12 4:31 PMnever
    Tunnel2 · VPN Tunnel 214.6 Kbps21.05 Kbps2/15/12 4:31 PMnever
    Tunnel3 ·VPN Tunnel 3130.78 Kbps136.2 Kbps2/15/12 4:31 PM

    Here is an excerpt of the 95th percentile report.  It is strange to me that ingress bps and egress bps are equivalent.

    95 Percentile Per IP Group - This Month

    NameIngress bpsEgress bpsTotal bpsMaximum bps
    Group 1667.3 Kbps667.3 Kbps1.3 Mbps667.3 Kbps
    Group 22950.0 bps2950.0 bps5900.0 bps

    2950.0 bps

  • I also am wondering if it would be possible to get a 95th percentile bandwidth utilization report by IP Group but also by interface for a certain time period. 

  • Any thoughts on this radekn?

  • Hi Mattyo,

     

    For this report there was used IP groups report which puts Source IPs and Destination IPs together by definition.

    This does not separate received and transmitted traffic to IP group but it display total traffic=(Received + Transmitted) by IP address group per interface with specific interfaces flow direction (Ingress/Egress).

     

    for example:

     

    communication between two endpoints A and B where A belongs to Group1 will be calculated as :

     

    Group1:  A

     

    Communication between two endpoints:

     

    from A to B  sent 10 bytes

    from B to A  sent 10 bytes

    -------------------------------

    then  Group1 total traffic =20 bytes

     

    Group1 acted as source(transmitter) = 10 bytes

    Group1 acted as destination(receiver) = 10 bytes

     

    To separate this ( A to B and B to A)  there will be needed to modify this report.

     

    Please check link to new reports and let me know if it is what you need.


     

    New report mix original report with additional information by source and destination traffic.

    It represents  three NTA resources "Top XX IP Address Groups", "Top XX Source IP Address Groups" and "Top XX Destination IP Address Groups"

     

     

    Report presents source/destination and Ingress/Egress traffic.

     

    -          Ingress/Egress flow traffic per interface .


     

    -          Source/Destination traffic is traffic between two endpoints (source IP and destination IP).


     

     

    Destination traffic means that Endpoints which belongs to IP address group were receiving traffic from others ( traffic which was sent to IP address group).

     

    For Source traffic it means that Endpoints from IP address group were sending data to others ( traffic received by Group).

     

    Source and Destination traffic is than divided to Ingress and Egress. So there is possible to see Source/Destination traffic via

    interfaces  in Ingress or Egress flow direction

     

     

    Report can also display nodes together with interfaces, nodes only or overall summaries. Check report SQL header section for possible filters choices.

     

    Please let me know any other questions.

     

    Regards Radekn
  • Hi Radekn,

     

    The reports look great.  Is there a way to filter on a specific IP Group and interface easily?  For example, I have 4 groups for customer A:

    Group 1 - web servers

    Group 2 - application servers

    Group 3 - database servers

    Group 4 - Aggregate of Groups 1, 2, & 3 (basically all the IPs of the groups are added together into a single group).

     

    For a financial audience, I want to simply present to them the bandwidth that Customer A used on a certain WAN link.  So I want to map Group 4 to the interface of an edge router connected to that WAN link.  Basically all this data is already in the report, I just would like to find a way to filter it down so they don't have to make sense of it.

  • Hi Mattyo,

    I modified reports with new parameters InterfaceIDs,GroupIDs. Multiple filter values are identified as comma separated value.

    Parameter @ConversationIPs is using comma separated values as well.

    So for example to filter report by Your IP groups it will looks like this

    SET @GroupIDs= ' Group 1 - web servers,Group 2 - application servers,Group 3 - database servers,Group 4 - Aggregate of Groups '

    For Interfaces filter there is used InterfaceID instead of interface caption due to possible duplicated interface caption names.


    Regards Radekn


    reports are stored here

     
  • Thanks Radekn.  I ran into a issue with the reports.  It doesn't seem to be using the new IP Groups I implemented.  I see all the old ones but the 4 or 5 new ones I put in are not being reported on (neither 30 days or 7 days).  It is happening with both SW servers.   Any tips to make it use the current IP Groups in the custom reports?