1) Have you looked at this information on github that explains the NTA 4.0 tables? (NTA 4.0 Entity Model · solarwinds/OrionSDK Wiki · GitHub). FYI, I have tried using the different Flow tables to try and put together 'Top XX Flows' charts but I didn't see a performance improvements between the tables. So Im not sure what the benefits of the tables are.
2) Here is an example of a 'Top XX Selected Flows' grouped by City. This works however no matter how I filter the results it still takes over a minute for the query to complete. When I try to increase the timeframe of the report it does not complete. Have you tried any other ways to increase the timeframe of your reports?
SELECT N.City, CHANGETIMEZONE(TimeStamp, '-05:00') AS Time_In_EST, SUM(TotalBytes)/1048576 AS SUM_Bytes_MB, SourceIP, DestinationIP, Port
FROM Orion.Netflow.FlowsByIP F
JOIN Orion.NodesCustomProperties N on F.NodeID = N.NodeID
JOIN Orion.Netflow.Countries as CO ON F.SourceCountryCode = CO.CountryCode
WHERE SourceCountryCode = '-P' AND SourceIP > 'IPADDRESS' AND SourceIP < 'IPADDRESS' AND (F.TimeStamp>=(GetDate())-1)
GROUP BY N.City, DestinationIP
ORDER BY N.City, DestinationIP, TotalBytes DESC
Hope this helps.
Thanks for your contribution on this one.
Unfortunately I haven't performed any benchmarks on different methods/tables/NTA entities.
Have you tried connecting SWQL Studio to Orion with SWISv2 rather than v3? Different service, may have different methods
Create a Top 5 Conversations report to get Ingress and Egress information
This article describes how to create a Top 5 Conversations report and get both Ingress and Egress information in the web reports for one specific node.
- NPM v11.5.2 with Hotfix 5
- NTA v4.1.1
- Create a new report.
- Select Custom Table and click Continue.
- Make sure the Selection Method is Dynamic Query Builder.
- Select Advance Selector.
- Select I want to report on Netflow By Conversation History.
- Select Where All child conditions must be satisfied (AND).
Note: This is the default and should not be changed.
- Click the green plus button to add simple condition.
- Choose Select Field and ensure that the Orion Object is set to Netflow By Conversation.
- Select NodeID.
- Set this to - is equal to and add the numbered value for the NodeID.
Note: The NodeID can be found in the Nodesdata table.
- Add this to the layout and this completes the query.
- When Editing the table layout, add:
- Caption (the Orion Object should be set to Node to find this value)
- Source IP
- Destination IP
- Ingress Bytes
- Egress Bytes
- Total Bytes
- Ensure that the Ingress, Egress, and Total columns are expanded by clicking the plus button to configure them.
- Make sure the display setting is in Data Unit Bytes (1000) and that Data Aggregation is set to Sum. Other settings can be left as they are.
This is important if you want to see ingress or egress on the same page in order to Sort results.
- Select the following:
Ingress Bytes - Netflow By Conversation History (Descending) for inbound traffic
Egress Bytes - Netflow By Conversation History (Descending)
Note: Select only one depending on what you need, but you can always duplicate the Custom Table and change that field to the other direction to have both show up on one report.
- Group Results by Node - Node.
- Select Show only top 5 records.
- Click Submit to finish the table layout.
- Provide a name for this report and set the time on when the report should run. Then click Next.
The preview of the report should look something like the example below.
Note: This example shows one table for Ingress and the second table below is for Egress. To get both of the reports, duplicate the first table and then set the duplicate to Egress Bytes - Netflow By Conversation History (Descending) in the table layout.
20. Click Next.
21. Tick the My favorite Reports box if you easily want to find the report. Click Next.
22. Optional: Schedule the report and click Next.
23. The Summary Page appears. Click Submit.
You are done.
Thanks for the walk-through, however your method defines a static selection of NodeID(s) where I need a filter mechanism to select the top X (Conversations by total bytes) out of the top Y (Nodes with most NetFlow traffic), where the NodeIDs are not known prior creating the report.