-
Notifications
You must be signed in to change notification settings - Fork 460
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Netflow] Support TSDS #7549
Comments
Pinging @elastic/security-external-integrations (Team:Security-External Integrations) |
I was having the same idea, but for aws.vpcflow data which is very similar just with a smaller number of possible fields. I think we should do a test with using TSDS on one of these flow log data sources. I think storage size would be the biggest benefit. One thing that could cause an issue (particularly in the aws.vpcflow case) is late arriving data (like if it is historical data read from S3). TSDS can only accept data that has a "recent" timestamp (see https://www.elastic.co/guide/en/elasticsearch/reference/current/tsds.html#tsds-accepted-time-range). |
Interesting, I didn't really think about historical ("backfill") data here, but it does make sense as to consider. I wonder if elastic/elasticsearch#98463 would help as well in this scenario. I don't really know the dynamics around use cases like importing VPC flow data, so not sure how "useable" this feature would be in a "backfill" scenario. |
Related presentation from ElatiFlow: https://www.youtube.com/watch?v=MuMXNTFsKto&t=1238s&ab_channel=OfficialElasticCommunity |
Pinging @elastic/sec-deployment-and-devices (Team:Security-Deployment and Devices) |
hello 👋 full disclosure I just started reading about TSDS; so here are some quick ones to pick your brains @andrewkroh @BenB196 quoting from here
So, if my interpretation of the above is correct, to take advantage of TSDS we need to define which fields are the metrics. At the moment there is no separation in the fields extracted from netflow input as which ones are eligible as metrics, e.g. I assume this one quoting from here
Again, if my interpretation of the above is correct, we need to have at least one field as dimension; from having a look at the fields these can be What are your thoughts on the above guys? 🙂 |
I think one of the main challenges with TSDS going back to something @andrewkroh pointed out and that is the possibility of needing to backfill data, which doesn't have the greatest experience with TSDS. Elastic is working on a new "LogsDB" index mode, elastic/elasticsearch#106462, which hopefully will provide many of the same benefits of TSDS, without the challenges of backfilling data. I don't think it will be 100% as efficient as TSDS could possibly be, but would still be a nice value add. |
yes! |
Now that LogsDB has landed, is there thought to revisting that as an option for this data? |
LogsDB should already be usable (as it is with most log data streams). You can test it out by adding This is the default index template for the netflow data stream. It already references the Create the logs-netflow.log@custom component template and add the Preview of the final index mapping that shows index.mode was integrated into the final settings. Footnotes |
Hi All,
I was curious if there are any plans to support enabling TSDS on the Netflow integration.
While this integration currently falls under the
logs
type. I think there would be significant value in allowing this integration to leverage TSDS.Netflow contains a large number of metrics and generally at scale, will generate a significant number of timeseries events that need to be indexed and stored. I think that the Netflow integration would receive a significant value increase by leveraging TSDS in indexing speed, storage usage, and search/agg speed.
The text was updated successfully, but these errors were encountered: