This discussion has been locked. The information referenced herein may be inaccurate due to age, software updates, or external references.
You can no longer post new replies to this discussion. If you have a similar question you can start a new discussion in this forum.

Netflow Reporting - IPGroupSegmentID Property

Hello Fellow Thwackers,

As referenced by my name, when I want to create a report/alert/etc I usually skip and go right to custom swql query emoticons_grin.png

I'm wondering if anyone can assist with the following :

I am attempting to write a swql query for netflow reporting and notice that the SourceIPGroupSegmentID/DestinationIPGroupSegmentID property (from Orion.Netflow.Flows) are  all linked to the Orion.Netflow.SourceIPGroup table.

However the ID fields differ - and there is not common table I can find that links the two IDs to each other.

For instance - There are only 30 instances of IP Groups in the Orion.Netflow.SourceIPGroup table - IDs 1-30.

The value that corresponds with ID 30 is 95 in the SourceIP/DestinationIPGroupSegmentID - 30 maps to 95.

I created a new group, and observed that group 31 matches with SourceIP/DestinationIPGroupSegmentID of  114.

Can anyone explain how this is being calculated? If I can determine either where or how this mapping is done, I can definitely arrange some reporting based on IP Address Groups (and I think thwack could definitely use a few more posts on how to do custom Netflow reporting...)

Thank you -

=Swql

Parents
  • Hi,

    IP address groups in netflow can contain multiple ranges or single IPs. IP address space 0.0.0.0-255.255.255.255 is divided by all of these ranges and smaller parts - segments are created. IP groups then have reference to these IP address group segments.

    ID of segments is incremental, if you create new IP groups, probably new segments will be created and segments are reassigned to IP Address groups. Also if you delete all IP Address groups and create same groups again, new segments will be created.

    Petr

  • Hello Petr,

    I'm aware of how the IP address group segments work - my main point was that there is no mapping between the IDs that are created/recreated and the name of the Ip address group itself - this makes capturing data more difficult through swql unless there is a mapping somewhere between tables - which I haven't located yet.

    It can be done through the web reporter so I'm assuming there is some mapping mechanism there in the background - trying to locate that.

    Thank you,

    =Swql

  • Hi,

    NTA tables are referencing Orion.NetFlow.IPAddressGroups table. The mapping to between segments and ip group ID is done automatically on background.

    Usage example:

    SELECT T1.SourceIPGroup.Name, T1.DestinationIPGroup.IPAddressGroupID

    FROM Orion.NetFlow.Flows AS T1

    WHERE T1.SourceIPGroup.Enabled = 1

    Petr

Reply
  • Hi,

    NTA tables are referencing Orion.NetFlow.IPAddressGroups table. The mapping to between segments and ip group ID is done automatically on background.

    Usage example:

    SELECT T1.SourceIPGroup.Name, T1.DestinationIPGroup.IPAddressGroupID

    FROM Orion.NetFlow.Flows AS T1

    WHERE T1.SourceIPGroup.Enabled = 1

    Petr

Children
No Data