[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Service Provider NetFlow Collectors
- Subject: Service Provider NetFlow Collectors
- From: raphael.timothy at gmail.com (Tim Raphael)
- Date: Wed, 2 Jan 2019 20:48:32 +0800
- In-reply-to: <CAAeewD9tSpgL1Y7XfPawzpuT=C+GngGKc8gjYUzcVOC6=PfuQA@mail.gmail.com>
- References: <CY4PR17MB120707409BF6F9BAAB83C3BDD3B20@CY4PR17MB1207.namprd17.prod.outlook.com> <[email protected]> <[email protected]> <[email protected]> <CAMDdSzODAo3opMNSqAhiKqjpOmT5CJKVndcfechgbB2BBuY9xA@mail.gmail.com> <[email protected]> <[email protected]> <[email protected]> <CAAeewD9tSpgL1Y7XfPawzpuT=C+GngGKc8gjYUzcVOC6=PfuQA@mail.gmail.com>
This is correct,
With a flow database you want to be able to say: â??show me all HTTP traffic from subnet a.b.c.0/24â?? which requires you to either keep individual IPs or aggregate subnets. Combined with port and protocol data for both source and destination, the series count shoots way above 10M.
- Tim
> On 2 Jan 2019, at 20:20, Saku Ytti <saku at ytti.fi> wrote:
>
> Hey Tim,
>
>> I would advise against InfluxDB in this case - flow data has a very high (and open) tag cardinality which is not suited to Influx (although their recently new index format has improved this).
>
> I'm not entirely sure I understand. Does this mean the permutations of
> tags are high, i.e. series count is high? If so, isn't this general
> problem and advice against all TSDBs? If so, I fully agree, you
> couldn't/shouldn't make for example IP addresses your tags,
> potentially creating 2**32*2 series without any other tags, it's
> rather non-sensical proposal in TSDB.
>
> Influx themselves comment that >10M series is likely infeasible. So
> you need unique tag combinations to be low millions at most.
> --
> ++ytti