• State Verified Answer
  • Locked Locked
  • Replies 2 replies
  • Subscribers 23 subscribers
  • Views 692 views
  • Users 0 members are here
Options
Related
This discussion has been locked. The information referenced herein may be inaccurate due to age, software updates, or external references.
You can no longer post new replies to this discussion. If you have a similar question you can start a new discussion in this forum.

Differences between Orion.Netflow.Flows and Orion.Netflow.FlowsBy*

ckwasnicki

In Orion database there are seven tables that contain Netflow information.  They have 36 fields in common, such as the SourceIP address, Number of bytes, SourceHostname etc.  The difference is extra fields, for example ByHostname adds the fields ASID, CountryCode, Domain, Hostname, IP, IPGroupSegmentID, and PartnerIP.  Some of the extra fields appear to be duplicates of the common fields.  For example the extra field Hostname always (in my case and my limited sample) matches either the common fields SourceHostname or DestinationHostname.  This also applies to the extra field IP and PartnerIP.  Are the extra fields there as a programming convenience (for easier flow search) or for some other purpose that I haven't come across?  I would like to use either Orion.Netflow.Flows.ByHostname or Orion.Netflow.Flows.ByIP as they capture more information, but they appear to report the same flow multiple times, just with different "key" values.  I need to make sure I don't drop flows by accident.

Thanks

  • 0

    Hi,

    In essence Orion.Netflow.Flows contain all flows. FlowsBy* entities offer different view over that data. Their main purpose is to provide easy way to query directional fields (e.g. SourceIP and DestinationIP) regardless of their direction (as if there is IP field and you don't care whether it was received as source or destination). So yes, it's more for convenience and ease of use.

    The purpose can be demonstrated with an example: let's say there is only one flow in database. 

    SELECT SourceIP, DestinationIP, SUM(Bytes) AS Bytes FROM Orion.Netflow.Flows GROUP BY SourceIP, DestinationIP

    This would return only one row:

    SourceIPDestinationIPBytes
    1.1.1.12.2.2.2100

    Now if you would use FlowsByIP entity as follows:

    SELECT IP, SourceIP, DestinationIP, SUM(Bytes) AS Bytes FROM Orion.Netflow.FlowsByIP GROUP BY IP, SourceIP, DestinationIP

    The result would be two rows:

    IPSourceIPDestinationIPBytes
    1.1.1.11.1.1.12.2.2.2100
    2.2.2.21.1.1.12.2.2.2100

    Note that it only appears as if database contain two rows (in reality there is only one). IP column is virtual and contains source/destination field for first/second row - this virtual duplication happens for each flow. This is very useful if you need to filter or group by IP address disregarding its original direction. Same applies to other fields, for example Domain field is also virtual and would hold value from either SourceDomain or DestinationDomain.

    If you don't need any of this logic, I suggest to use Flows entity. If you need to query directional fields disregarding their direction these entities are convenient way how to do that.

    I hope this helps, let me know if you have any further questions.

    Martin

SolarWinds solutions are rooted in our deep connection to our user base in the THWACK® online community. More than 195,000 members are here to solve problems, share technology and best practices, and directly contribute to our product development process.

SolarWinds Customer Success Center Certification Media Vault Link Accounts
About THWACK Blogs For Government Edit Settings Free Tools & Trials
Legal Documents Terms of Use Privacy California Privacy Rights Security Information
©2024 SolarWinds Worldwide, LLC. All Rights Reserved.