bps and pps calculation for netflow on ELK and logstash

adds some amount of CPU usage!

ruby code for calculation :

ruby {
init => “require ‘time'”
code => “event[‘netflow’][‘duration’] = Time.parse(event[‘netflow’][‘last_switched’]) – Time.parse(event[‘netflow’][‘first_switched’])”
}
if [netflow][in_bytes] {
ruby {
code => “event[‘netflow’][‘in_bits’] = event[‘netflow’][‘in_bytes’] * 8″
}
}
if [netflow][duration] > 0 {
ruby {
code => ”
event[‘netflow’][‘pps’] = event[‘netflow’][‘in_pkts’] / event[‘netflow’][‘duration’] rescue 0
event[‘netflow’][‘bps’] = event[‘netflow’][‘in_bits’] / event[‘netflow’][‘duration’] rescue 0

}
} else {
mutate {
replace => [ “[netflow][bps]”, “%{[netflow][in_bits]}” ]
replace => [ “[netflow][pps]”, “%{[netflow][in_pkts]}” ]
}
}
mutate {
convert => [ “[netflow][pps]”, “integer” ]
convert => [ “[netflow][bps]”, “integer” ]
}

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.