At NTA 4.0 Entity Model · solarwinds/OrionSDK Wiki · GitHub bottom of the page is the following query
-- query top 10 IP conversations in the first hour of the year 2014
SELECT TOP 10 f.SourceIP, f.DestinationIP, SUM(f.Bytes) as TotalBytes
FROM Orion.Netflow.FlowsByConversation f
WHERE f.TimeStamp > '2014-01-01 00:00:00' AND f.TimeStamp <= '2014-01-01 01:00:00'
GROUP BY f.SourceIP, f.DestinationIP
ORDER BY SUM(f.Bytes) DESC
When I run this (changing the date and number of top conversations to report naturally) to match the report generated on the Orion web interface "NetFlow Conversations Summary", I do not get similar results. Some of the flows are close enough (within rounding errors) but others are way off, some are not reported .
Is my theory that I should be able to match (and validated) the SQL in this manner valid?