Hi, I am running telegraf 1.31.2 with influxdb and Netflow plugin with softflowd on an openwrt x86 router. When I try to create some queries for Netflow I noticed that the traffic amount volume reported in the query is very low. When I run softflowctl statistics I get a decent amount of traffic for 2/3 day’s worth
Expired flow statistics: minimum average maximum
Flow bytes: 28 207980 2203645109
Flow packets: 1 241 2545964
Duration: 0.00s 53.01s 138384.52s
Expired flow reasons:
tcp = 13961 tcp.rst = 35841 tcp.fin = 44933
udp = 197940 icmp = 1754 general = 73
maxlife = 0
over 2 GiB = 2
maxflows = 2323
flushed = 0
Per-protocol statistics: Octets Packets Avg Life Max Life
icmp (1): 2896636 19704 68.69s 4182.52s
igmp (2): 1060880 26507 4865.04s 133519.63s
tcp (6): 29211319158 38001358 136.40s 93805.02s
udp (17): 32518911694 33453436 10.53s 138384.52s
for example above there are some flows with over 2GB
but when I use the below query the max flow I get is 1.5MB only. Also, the logs do not show any errors/warnings what am I doing wrong here?
from(bucket: "openwrt")
|> range(start: v.timeRangeStart, stop: v.timeRangeStop)
|> filter(fn: (r) => r["_measurement"] == "netflow")
|> filter(fn: (r) => r["_field"] == "in_bytes" or r["_field"] == "src" or r["_field"] == "dst")
|> pivot(rowKey: ["_time"], columnKey: ["_field"], valueColumn: "_value")
|> sort(columns: ["in_bytes"], desc: true)
