Showing results for 
Search instead for 
Did you mean: 
Create Post
Level 9

Heads up: How to use data intervals effectively in NTA 4 in conjunction with NPM

Hi Guys,

Just thought i'd throw in my experiences so far in NTA 4 and provide some heads up on functionality / how to use the product based on experience:

  • Love the new data retention feature for NetFlow - it's a good start and heading in the right direction to be comparable with other products
  • There are some significant constraints in the new functionality, the main one being that data interval duration isn't (yet) configurable and works as follows (assuming the nightly data aggregation has occured):
    • When viewing less than 4 hours of data - 1 minute intervals
    • When viewing between 4 - 24 hours of data - 15 minute intervals
    • When viewing 24+ of data - 1 hour intervals
  • I've created a feature request (please help vote it up!) to allow for configurable intervals - but in the interim, I've made some suggestions on how to work around this and use the product

Here's a sample work flow for passive network analysis:

  • Monitor key WAN interfaces through a dynamic group and identify when they're trending high
  • Use graph based views showing data over time and sort by % utilisation of link as it tends to (from our experience), be easier to spot
  • Once you've identified the trend, use the NPM data to identify the max utilisation events
  • Once you've identified the time period, drill in with NTA on the time period itself and analyse the state change in traffic flows
  • Once you've identified the application - if you can, uniquely name it with your organisation's name - e.g. "Intranet" or "DFS-R replication" - this will
    • Greatly assist with capacity reporting
    • Lower the bar for new users so that they can more intuitively idenitfy application changes

From experience rolling out NetFlow and other passive analysis solutions from a variety of vendors, the number 1 thing you can do to get value from your netflow system is to uniquely idenitfy applications and to do this on an ongoing basis.

Knowing that you have 160kbps of SMB data flowing between sites is "Technical" data. Knowing that this is "Group drive access" and therefore shouldn't be happening is "Business" information and far more relevant

Hope this helps!

2 Replies
Level 13

The Thwack idea link you shared is incorrect.  Here is the one I think you meant to share:

Ta - typo fixed