-
|
Hello, I'm not sure if I understood the nfdump manual correctly, where it tells me that I can apply a filter based on the number of flows (provided they are grouped by the options -A, -B, or -b). I'm experiencing an issue when trying to use this type of filter, as it doesn't seem to be based on the grouped flow count. For example, when I execute nfdump with the filter (e.g., nfdump -R exporter_1/ -B -O flows -o "extended" 'flows > 10'), I don't get any results, and the command returns "No matching flows." However, when I use the filter 'flows = 1,' it works perfectly fine, and the "Flows" column shows the correct grouping. Has anyone encountered a similar problem with this type of filter? Any ideas? |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment 1 reply
-
|
The point is the order of the flow processing chain, how the individual steps are executed.
In your case, it means you would like to apply the filter after aggregation. In order to make this work, you need to create an intermediate file from the exported flow cache. For that, nfdump allows you to write the aggregated flow cache in a new flow file:
By creating this intermediate file, you can filter according to your needs. |
Beta Was this translation helpful? Give feedback.
-
|
It worked perfectly! Thank you for the help and explanations. |
Beta Was this translation helpful? Give feedback.
The point is the order of the flow processing chain, how the individual steps are executed.
In your case, it means you would like to apply the filter after aggregation. In order to make this work, you need to create an intermediate file from the exported flow cache. For that, nfdump allows you to write the aggregated flow cache in a new flow file:
nfdump -r exporter_1/ -B -w tmpFilenfdump -r tmpFile -O flows -o extended 'flows > 10'By creating this intermediate file, you can filter according to your needs.