Observer GigaFlow

Documentation

Table of Contents

Observer GigaFlow Documentation

Documentation > Appendices

Appendices

Forensic Report Types

See Configuration > Reporting for instructions on how to configure and create new report types.

The different types of pre-loaded report are listed here. Refer to the Direct Filtering Syntax table above. Queries are performed on the PostgreSQL using SQL.

The Application Flows report is commonly used.

When this report is run for an infrastructure device on your network, GigaFlow returns the following information for each application flow associated with the device:

  • A source address.
  • A destination address.
  • The application involved.
  • A graph of the volume of data transmitted.

The different report types are:

Application

  • The report name.
  • The associated table query, in this case:
    select srcadd as srcadd,dstadd as dstadd,appid as appid, cast((sum(bytes)*8) as bigint) as bits_total from netflow WHERECLAUSE group by srcadd,dstadd,appid ORDERBY LIMITROW
  • The table value field, in this case:
    bits_total
  • The graph query, in this case:
    select FIRSTSEEN as afirstseen,srcadd as srcadd,dstadd as dstadd,appid as appid, cast(sum((bytes)*8)/(MODER/1000) as bigint) as bits_avgsec from netflow  WHERECLAUSE group by afirstseen,srcadd,dstadd,appid order by srcadd,dstadd,appid,afirstseen
  • The graph time field, in this case:
    afirstseen
  • The graph value field, in this case:
    bits_avgsec
  • The graph key field(s), separated by "__", in this case:
    srcadd__dstadd__appid

ASs by Dst

Table Query: select srcadd as srcadd,dstadd as dstadd,appid as appid, cast((sum(bytes)*8) as bigint) as bits_total from netflow WHERECLAUSE group by srcadd,dstadd,appid ORDERBY LIMITROW
Table Value Field:
Graph Query: select FIRSTSEEN as afirstseen,srcadd as srcadd,dstadd as dstadd,appid as appid, cast(sum((bytes)*8)/(MODER/1000) as bigint) as bits_avgsec from netflow WHERECLAUSE group by afirstseen,srcadd,dstadd,appid order by srcadd,dstadd,appid,afirstseen
Graph Time Field:
Graph Value Field:
Graph Key Field(s) separated by __: srcas

ASs by Source

Table Query: select srcas as srcas, cast((sum(bytes)*8) as bigint) as bits_total from netflow WHERECLAUSE group by srcas ORDERBY LIMITROW
Table Value Field:
Graph Query: select FIRSTSEEN as afirstseen,srcas as srcas, cast(sum((bytes)*8)/(MODER/1000) as bigint) as bits_avgsec from netflow WHERECLAUSE group by afirstseen,srcas order by srcas,afirstseen
Graph Time Field:
Graph Value Field:
Graph Key Field(s) separated by __:

ASs Pairs

Table Query: select srcas as srcas,dstas as dstas, cast((sum(bytes)*8) as bigint) as bits_total from netflow WHERECLAUSE group by srcas,dstas ORDERBY LIMITROW
Table Value Field:
Graph Query: select FIRSTSEEN as afirstseen,srcas as srcas,dstas as dstas, cast(sum((bytes)*8)/(MODER/1000) as bigint) as bits_avgsec from netflow WHERECLAUSE group by afirstseen,srcas,dstas order by srcas,dstas,afirstseen
Graph Time Field:
Graph Value Field:
Graph Key Field(s) separated by __: srcas__dstas

Address Pairs

Table Value Field: bits_total
Graph Query: select FIRSTSEEN as afirstseen,srcadd as srcadd,dstadd as dstadd, cast(sum((bytes)*8)/(MODER/1000) as bigint) as bits_avgsec from netflow WHERECLAUSE group by afirstseen,srcadd,dstadd order by srcadd,dstadd,afirstseen
Graph Time Field: afirstseen
Graph Value Field: bits_avgsec
Graph Key Field(s) separated by __: srcadd__dstport

Addresses As Sources And Dest Port By Dest Count (Edit?)

Table Query: select srcadd,dstport,count(distinct(dstadd)) as dstcount from netflow WHERECLAUSE group by srcadd,dstport ORDERBY LIMITROW
Table Value Field: dstcount
Graph Query: select FIRSTSEEN as afirstseen, srcadd,dstport,cast((count(distinct(dstadd))) as bigint) as dstcount from netflow WHERECLAUSE group by afirstseen,srcadd,dstport order by srcadd,dstport,dstcount,afirstseen asc
Graph Time Field: afirstseen
Graph Value Field: dstcount
Graph Key Field(s) separated by __:

Addresses By Dest

Table Query: select dstadd as dstadd, cast((sum(bytes)*8) as bigint) as bits_total from netflow WHERECLAUSE group by dstadd ORDERBY LIMITROW
Table Value Field: bits_total
Graph Query: select FIRSTSEEN as afirstseen,dstadd as dstadd, cast(sum((bytes)*8)/(MODER/1000) as bigint) as bits_avgsec from netflow WHERECLAUSE group by afirstseen,dstadd order by dstadd,afirstseen
Graph Time Field: afirstseen
Graph Value Field: bits_avgsec
Graph Key Field(s) separated by __:dstadd

Addresses By Source

Table Query: select srcadd as srcadd, cast((sum(bytes)*8) as bigint) as bits_total from netflow WHERECLAUSE group by srcadd ORDERBY LIMITROW
Table Value Field: bits_total
Graph Query: select FIRSTSEEN as afirstseen,srcadd as srcadd, cast(sum((bytes)*8)/(MODER/1000) as bigint) as bits_avgsec from netflow WHERECLAUSE group by afirstseen,srcadd order by srcadd,afirstseen
Graph Time Field: afirstseen
Graph Value Field: bits_avgsec
Graph Key Field(s) separated by __: srcadd

All Fields

Table Query: select firstseen,duration,device,customerid as tgsrc,engineid as tgdst,userid,userdomain,srcadd,dstadd,srcport,dstport,appid,postureid,nexthop,srcmac,dstmac,device||'_'||inif as difin,device||'_'||outif as difout,pkts,bytes*8 as bits,flags,proto,tos,srcas,dstas,spare as fpr,url,fwextcode,fwevent from netflow WHERECLAUSE ORDERBY LIMITROW
Table Value Field: firstseen
Graph Query: select FIRSTSEEN as afirstseen, cast(sum((bytes)*8)/(MODER/1000) as bigint) as bits_avgsec from netflow WHERECLAUSE group by afirstseen order by afirstseen
Graph Time Field: afirstseen
Graph Value Field: bits_avgsec
Graph Key Field(s) separated by __:

All Fields Avg FPR

Table Query: select firstseen,duration,cast( spare as integer) as fpr,device,customerid as tgsrc,engineid as tgdst,srcadd,dstadd,srcport,dstport,appid,nexthop,srcmac,dstmac,inif,outif,pkts,bytes*8 as bits,flags,proto,tos,srcas,dstas from netflow WHERECLAUSE and spare>0 ORDERBY LIMITROW
Table Value Field: firstseen
Graph Query: select FIRSTSEEN as afirstseen,cast( avg(spare) as integer) as maxfpr from netflow WHERECLAUSE and spare >0 group by afirstseen order by afirstseen
Graph Time Field: afirstseen
Graph Value Field: maxfpr
Graph Key Field(s) separated by __:

All Fields Max FPR

Table Query: select firstseen,duration,cast( spare as integer) as fpr,device,customerid as tgsrc,engineid as tgdst,srcadd,dstadd,srcport,dstport,appid,nexthop,srcmac,dstmac,inif,outif,pkts,bytes*8 as bits,flags,proto,tos,srcas,dstas from netflow WHERECLAUSE and spare>0 ORDERBY LIMITROW
Table Value Field: firstseen
Graph Query: select FIRSTSEEN as afirstseen,cast( max(spare) as integer) as maxfpr from netflow WHERECLAUSE and spare >0 group by afirstseen order by afirstseen
Graph Time Field: afirstseen
Graph Value Field: maxfpr
Graph Key Field(s) separated by __:

Application Flows

Table Query: select srcadd as srcadd,dstadd as dstadd,appid as appid, cast((sum(bytes)*8) as bigint) as bits_total from netflow WHERECLAUSE group by srcadd,dstadd,appid ORDERBY LIMITROW
Table Value Field: bits_total
Graph Query: select FIRSTSEEN as afirstseen,srcadd as srcadd,dstadd as dstadd,appid as appid, cast(sum((bytes)*8)/(MODER/1000) as bigint) as bits_avgsec from netflow WHERECLAUSE group by afirstseen,srcadd,dstadd,appid order by srcadd,dstadd,appid,afirstseen
Graph Time Field: afirstseen
Graph Value Field: bits_avgsec
Graph Key Field(s) separated by __: srcadd__dstadd__appid

Application Flows With User

Table Query: select srcadd as srcadd,dstadd as dstadd,appid as appid,userid as userid, cast((sum(bytes)*8) as bigint) as bits_total from netflow WHERECLAUSE group by srcadd,dstadd,appid,userid ORDERBY LIMITROW
Table Value Field: bits_total
Graph Query: select FIRSTSEEN as afirstseen,srcadd as srcadd,dstadd as dstadd,appid as appid,userid as userid, cast(sum((bytes)*8)/(MODER/1000) as bigint) as bits_avgsec from netflow WHERECLAUSE group by afirstseen,srcadd,dstadd,appid,userid order by srcadd,dstadd,appid,userid,afirstseen asc
Graph Time Field: afirstseen
Graph Value Field: bits_avgsec
Graph Key Field(s) separated by __: srcadd__dstadd__appid__userid

Applications With Flow Count

Table Query: select appid ,count(*) as flowcount, count(distinct(srcadd)) as srccount, count(distinct(dstadd)) as dstcount, cast(sum(bytes*8)as bigint) as bits_total from netflow WHERECLAUSE group by appid ORDERBY LIMITROW
Table Value Field: flowcount
Graph Query: select FIRSTSEEN as afirstseen,appid ,count(*) as flowcount from netflow WHERECLAUSE group by afirstseen,appid order by flowcount,afirstseen asc
Graph Time Field: afirstseen
Graph Value Field: flowcount
Graph Key Field(s) separated by __: appid

Class Of Service

Table Query: select tos as tos, cast((sum(bytes)*8) as bigint) as bits_total from netflow WHERECLAUSE group by tos ORDERBY LIMITROW
Table Value Field: bits_total
Graph Query: select FIRSTSEEN as afirstseen,tos as tos, cast(sum((bytes)*8)/(MODER/1000) as bigint) as bits_avgsec from netflow WHERECLAUSE group by afirstseen,tos order by tos,afirstseen
Graph Time Field: afirstseen
Graph Value Field: bits_avgsec
Graph Key Field(s) separated by __: tos

Duration Avg

Table Query: select firstseen,duration,cast( spare as integer) as fpr,device,customerid as tgsrc,engineid as tgdst,srcadd,dstadd,srcport,dstport,appid,nexthop,srcmac,dstmac,inif,outif,pkts,bytes*8 as bits,flags,proto,tos,srcas,dstas from netflow WHERECLAUSE ORDERBY LIMITROW
Table Value Field: duration
Graph Query: select FIRSTSEEN as afirstseen,cast( avg(duration) as bigint) as avgduration from netflow WHERECLAUSE group by afirstseen order by afirstseen
Graph Time Field: afirstseen
Graph Value Field: avgduration
Graph Key Field(s) separated by __:

Duration Max

Table Query: select firstseen,duration,cast( spare as integer) as fpr,device,customerid as tgsrc,engineid as tgdst,srcadd,dstadd,srcport,dstport,appid,nexthop,srcmac,dstmac,inif,outif,pkts,bytes*8 as bits,flags,proto,tos,srcas,dstas from netflow WHERECLAUSE ORDERBY LIMITROW
Table Value Field: duration
Graph Query: select FIRSTSEEN as afirstseen,cast( max(duration) as bigint) as maxduration from netflow WHERECLAUSE group by afirstseen order by afirstseen
Graph Time Field: afirstseen
Graph Value Field: maxduration
Graph Key Field(s) separated by __:

FW Event

Table Query: select fwevent as fwevent, cast((sum(bytes)*8) as bigint) as bits_total from netflow WHERECLAUSE group by fwevent ORDERBY LIMITROW
Table Value Field: bits_total
Graph Query: select FIRSTSEEN as afirstseen,fwevent as fwevent, cast(sum((bytes)*8)/(MODER/1000) as bigint) as bits_avgsec from netflow WHERECLAUSE group by afirstseen,fwevent order by fwevent,afirstseen
Graph Time Field: afirstseen
Graph Value Field: bits_avgsec
Graph Key Field(s) separated by __:

   fwevent

FW Ext Code

Table Query: select fwextcode as fwextcode, cast((sum(bytes)*8) as bigint) as bits_total from netflow WHERECLAUSE group by fwextcode ORDERBY LIMITROW
Table Value Field: bits_total
Graph Query: select FIRSTSEEN as afirstseen,fwextcode as fwextcode, cast(sum((bytes)*8)/(MODER/1000) as bigint) as bits_avgsec from netflow WHERECLAUSE group by afirstseen,fwextcode order by fwextcode,afirstseen
Graph Time Field: afirstseen
Graph Value Field: bits_avgsec
Graph Key Field(s) separated by __: fwextcode

Interface Pairs

Table Query: select device as device,device||'_'||inif as difin,device||'_'||outif as difout, cast((sum(bytes)*8) as bigint) as bits_total from netflow WHERECLAUSE group by device,difin,difout ORDERBY LIMITROW
Table Value Field: bits_total
Graph Query: select FIRSTSEEN as afirstseen,device as device,device||'_'||inif as difin,device||'_'||outif as difout, cast(sum((bytes)*8)/(MODER/1000) as bigint) as bits_avgsec from netflow WHERECLAUSE group by afirstseen,device,difin,difout order by device,difin,difout,afirstseen
Graph Time Field: afirstseen
Graph Value Field: bits_avgsec
Graph Key Field(s) separated by __: device__difin__difout

Interface By Dest

Table Query: select device as device,device||'_'||outif as difout, cast((sum(bytes)*8) as bigint) as bits_total from netflow WHERECLAUSE group by device,difout ORDERBY LIMITROW
Table Value Field: bits_total
Graph Query: select FIRSTSEEN as afirstseen,device as device,device||'_'||outif as difout, cast(sum((bytes)*8)/(MODER/1000) as bigint) as bits_avgsec from netflow WHERECLAUSE group by afirstseen,device,difout order by device,difout,afirstseen
Graph Time Field: afirstseen
Graph Value Field: bits_avgsec
Graph Key Field(s) separated by __: device__difout

Interfaces By Destination Pct

Table Query: select netflow.device||'_'||outif as difout ,cast(sum((bytes)*8)/(REPORTPERIOD/1000) as bigint) as pct_avg_out from netflow WHERECLAUSE group by difout ORDERBY LIMITROW
Table Value Field: pct_avg_out
Graph Query: select FIRSTSEEN as afirstseen,device||'_'||outif as difout ,cast(sum((bytes)*8)/(MODER/1000) as bigint) as pct_avg_out from netflow WHERECLAUSE group by afirstseen,difout order by pct_avg_out,afirstseen asc
Graph Time Field: afirstseen
Graph Value Field: pct_avg_out
Graph Key Field(s) separated by __: difout

Interfaces By Source

Table Query: select device as device,device||'_'||inif as difin, cast((sum(bytes)*8) as bigint) as bits_total from netflow WHERECLAUSE group by device,difin ORDERBY LIMITROW
Table Value Field: bits_total
Graph Query: select FIRSTSEEN as afirstseen,device as device,device||'_'||inif as difin, cast(sum((bytes)*8)/(MODER/1000) as bigint) as bits_avgsec from netflow WHERECLAUSE group by afirstseen,device,difin order by device,difin,afirstseen
Graph Time Field: afirstseen
Graph Value Field: bits_avgsec
Graph Key Field(s) separated by __: device__difin

Interfaces By Source Pct

Table Query: select device||'_'||inif as difin ,cast(sum((bytes)*8)/(REPORTPERIOD/1000) as bigint) as pct_avg_in from netflow WHERECLAUSE group by difin ORDERBY LIMITROW
Table Value Field: pct_avg_in
Graph Query: select FIRSTSEEN as afirstseen,device||'_'||inif as difin ,cast(sum((bytes)*8)/(MODER/1000) as bigint) as pct_avg_in from netflow WHERECLAUSE group by afirstseen,difin order by pct_avg_in,afirstseen asc
Graph Time Field: afirstseen
Graph Value Field: pct_avg_in
Graph Key Field(s) separated by __: difin

MAC Address Pairs

Table Query: select srcmac as srcmac,dstmac as dstmac, cast((sum(bytes)*8) as bigint) as bits_total from netflow WHERECLAUSE group by srcmac,dstmac ORDERBY LIMITROW
Table Value Field: bits_total
Graph Query: select FIRSTSEEN as afirstseen,srcmac as srcmac,dstmac as dstmac, cast(sum((bytes)*8)/(MODER/1000) as bigint) as bits_avgsec from netflow WHERECLAUSE group by afirstseen,srcmac,dstmac order by srcmac,dstmac,afirstseen
Graph Time Field: afirstseen
Graph Value Field: bits_avgsec
Graph Key Field(s) separated by __: srcmac__dstmac

MAC Addresses By Dest

Table Query: select dstmac as dstmac, cast((sum(bytes)*8) as bigint) as bits_total from netflow WHERECLAUSE group by dstmac ORDERBY LIMITROW
Table Value Field: bits_total
Graph Query: select FIRSTSEEN as afirstseen,dstmac as dstmac, cast(sum((bytes)*8)/(MODER/1000) as bigint) as bits_avgsec from netflow WHERECLAUSE group by afirstseen,dstmac order by dstmac,afirstseen
Graph Time Field: afirstseen
Graph Value Field: bits_avgsec
Graph Key Field(s) separated by __: dstmac

MAC Addresses By Source

Table Query: select srcmac as srcmac, cast((sum(bytes)*8) as bigint) as bits_total from netflow WHERECLAUSE group by srcmac ORDERBY LIMITROW
Table Value Field: bits_total
Graph Query: select FIRSTSEEN as afirstseen,srcmac as srcmac, cast(sum((bytes)*8)/(MODER/1000) as bigint) as bits_avgsec from netflow WHERECLAUSE group by afirstseen,srcmac order by srcmac,afirstseen
Graph Time Field: afirstseen
Graph Value Field: bits_avgsec
Graph Key Field(s) separated by __: srcmac

Ports As Dest By Dest Add Popularity

Table Query: select dstport,count(distinct(dstadd)) as dstcount from netflow WHERECLAUSE group by dstport ORDERBY LIMITROW
Table Value Field: dstcount
Graph Query: select FIRSTSEEN as afirstseen, dstport,cast((count(distinct(dstadd))) as bigint) as dstcount from netflow WHERECLAUSE group by afirstseen,dstport order by dstport,dstcount,afirstseen asc
Graph Time Field: afirstseen
Graph Value Field: dstcount
Graph Key Field(s) separated by __: dstport

Ports As Dest By Src Add Popularity

Table Query: select dstport,count(distinct(srcadd)) as srccount from netflow WHERECLAUSE group by dstport ORDERBY LIMITROW
Table Value Field: srccount
Graph Query: select FIRSTSEEN as afirstseen, dstport,cast((count(distinct(srcadd))) as bigint) as srccount from netflow WHERECLAUSE group by afirstseen,dstport order by dstport,srccount,afirstseen asc
Graph Time Field: afirstseen
Graph Value Field: srccount
Graph Key Field(s) separated by __: dstport

Ports As Src By Dest Add Popularity

Table Query: select srcport,count(distinct(dstadd)) as dstcount from netflow WHERECLAUSE group by srcport ORDERBY LIMITROW
Table Value Field: dstcount
Graph Query: select FIRSTSEEN as afirstseen, srcport,cast((count(distinct(dstadd))) as bigint) as dstcount from netflow WHERECLAUSE group by afirstseen,srcport order by srcport,dstcount,afirstseen asc
Graph Time Field: afirstseen
Graph Value Field: dstcount
Graph Key Field(s) separated by __: srcport

Ports As Src By Src Add Popularity

Table Query: select srcport,count(distinct(srcadd)) as srccount from netflow WHERECLAUSE group by srcport ORDERBY LIMITROW
Table Value Field: srccount
Graph Query: select FIRSTSEEN as afirstseen, srcport,cast((count(distinct(srcadd))) as bigint) as srccount from netflow WHERECLAUSE group by afirstseen,srcport order by srcport,srccount,afirstseen asc
Graph Time Field: afirstseen
Graph Value Field: srccount
Graph Key Field(s) separated by __: srcport

Ports By Dest

Table Query: select dstport as dstport, cast((sum(bytes)*8) as bigint) as bits_total from netflow WHERECLAUSE group by dstport ORDERBY LIMITROW
Table Value Field: bits_total
Graph Query: select FIRSTSEEN as afirstseen,dstport as dstport, cast(sum((bytes)*8)/(MODER/1000) as bigint) as bits_avgsec from netflow WHERECLAUSE group by afirstseen,dstport order by dstport,afirstseen
Graph Time Field: afirstseen
Graph Value Field: bits_avgsec
Graph Key Field(s) separated by __: dstport

Ports By Source

Table Query: select srcport as srcport, cast((sum(bytes)*8) as bigint) as bits_total from netflow WHERECLAUSE group by srcport ORDERBY LIMITROW
Table Value Field: bits_total
Graph Query: select FIRSTSEEN as afirstseen,srcport as srcport, cast(sum((bytes)*8)/(MODER/1000) as bigint) as bits_avgsec from netflow WHERECLAUSE group by afirstseen,srcport order by srcport,afirstseen
Graph Time Field: afirstseen
Graph Value Field: bits_avgsec
Graph Key Field(s) separated by __: srcport

Posture

Table Query: select postureid as postureid, cast((sum(bytes)*8) as bigint) as bits_total from netflow WHERECLAUSE group by postureid ORDERBY LIMITROW
Table Value Field: bits_total
Graph Query: select FIRSTSEEN as afirstseen,postureid as postureid, cast(sum((bytes)*8)/(MODER/1000) as bigint) as bits_avgsec from netflow WHERECLAUSE group by afirstseen,postureid order by postureid,afirstseen
Graph Time Field: afirstseen
Graph Value Field: bits_avgsec
Graph Key Field(s) separated by __: postureid

Protocols

Table Query: select proto as proto, cast((sum(bytes)*8) as bigint) as bits_total from netflow WHERECLAUSE group by proto ORDERBY LIMITROW
Table Value Field: bits_total
Graph Query: select FIRSTSEEN as afirstseen,proto as proto, cast(sum((bytes)*8)/(MODER/1000) as bigint) as bits_avgsec from netflow WHERECLAUSE group by afirstseen,proto order by proto,afirstseen
Graph Time Field: afirstseen
Graph Value Field: bits_avgsec
Graph Key Field(s) separated by __: proto

Servers As Dest With Ports

Table Query: select dstadd ,dstport,srccount,localports,remoteports,sessions,(bytes*8) as bits from (select dstadd as dstadd,dstport,count(distinct(srcadd)) as srccount,count(distinct(dstport)) as localports,count(distinct(srcport)) as remoteports,count(*) as sessions,cast(sum((bytes)) as bigint) as bytes from netflow WHERECLAUSE group by dstadd,dstport ) as a where a.sessions>5 and a.localports<5 and a.srccount>5 group by dstadd,dstport,srccount,sessions,localports,remoteports,bytes ORDERBY LIMITROW
Table Value Field: srccount
Graph Query: select afirstseen ,dstadd ,dstport,srccount as srcsavgsec,localports,bits_avgsec from (select FIRSTSEEN as afirstseen,dstadd as dstadd ,dstport,count(distinct(srcadd)) as srccount,count(distinct(dstport)) as localports,count(distinct(srcport)) as remoteports,count(*) as records,cast(sum((bytes)*8)/(MODER/1000) as bigint) as bits_avgsec from netflow WHERECLAUSE group by afirstseen,dstadd ,dstport) as a where a.records>5 and a.localports<3 and a.srccount>5 group by afirstseen,dstadd ,dstport,srccount,localports,bits_avgsec order by dstadd,afirstseen asc
Graph Time Field: afirstseen
Graph Value Field: srcsavgsec
Graph Key Field(s) separated by __: dstadd__dstport

Servers As Dst Address

Table Query: select dstadd ,srccount,localports,remoteports,sessions,(bytes*8) as bits from (select dstadd as dstadd,count(distinct(srcadd)) as srccount,count(distinct(dstport)) as localports,count(distinct(srcport)) as remoteports,count(*) as sessions,cast(sum((bytes)) as bigint) as bytes from netflow WHERECLAUSE group by dstadd ) as a where a.sessions>5 and a.localports<5 and a.srccount>5 group by dstadd,srccount,sessions,localports,remoteports,bytes ORDERBY LIMITROW
Table Value Field: srccount
Graph Query: select afirstseen ,dstadd ,srccount as srcsavgsec,localports,bits_avgsec from (select FIRSTSEEN as afirstseen,dstadd as dstadd,count(distinct(srcadd)) as srccount,count(distinct(dstport)) as localports,count(distinct(srcport)) as remoteports,count(*) as records,cast(sum((bytes)*8)/(MODER/1000) as bigint) as bits_avgsec from netflow WHERECLAUSE group by afirstseen,dstadd) as a where a.records>5 and a.localports<5 and a.srccount>5 group by afirstseen,dstadd,srccount,localports,bits_avgsec order by dstadd,afirstseen asc
Graph Time Field: afirstseen
Graph Value Field: bits_avgsec
Graph Key Field(s) separated by __: dstadd

Servers AS Src Address

Table Query: select srcadd ,dstcount,localports,remoteports,sessions,(bytes*8) as bits from (select srcadd as srcadd,count(distinct(dstadd)) as dstcount,count(distinct(srcport)) as localports,count(distinct(dstport)) as remoteports,count(*) as sessions,cast(sum((bytes)) as bigint) as bytes from netflow WHERECLAUSE group by srcadd ) as a where a.sessions>5 and a.localports<5 and a.dstcount>5 group by srcadd,dstcount,sessions,localports,remoteports,bytes ORDERBY LIMITROW
Table Value Field: dstcount
Graph Query: select afirstseen ,srcadd ,dstcount as dstsavgsec,localports,bits_avgsec from (select FIRSTSEEN as afirstseen,srcadd as srcadd,count(distinct(dstadd)) as dstcount,count(distinct(srcport)) as localports,count(distinct(dstport)) as remoteports,count(*) as records,cast(sum((bytes)*8)/(MODER/1000) as bigint) as bits_avgsec from netflow WHERECLAUSE group by afirstseen,srcadd) as a where a.records>5 and a.localports<5 and a.dstcount>5 group by afirstseen,srcadd,dstcount,localports,bits_avgsec order by srcadd,afirstseen asc
Graph Time Field: afirstseen
Graph Value Field: bits_avgsec
Graph Key Field(s) separated by __: srcadd

Servers As Src With Ports

Table Query: select srcadd ,srcport,dstcount,localports,remoteports,sessions,(bytes*8) as bits from (select srcadd as srcadd,srcport,count(distinct(dstadd)) as dstcount,count(distinct(srcport)) as localports,count(distinct(dstport)) as remoteports,count(*) as sessions,cast(sum((bytes)) as bigint) as bytes from netflow WHERECLAUSE group by srcadd,srcport ) as a where a.sessions>5 and a.localports<5 and a.dstcount>5 group by srcadd,srcport,dstcount,sessions,localports,remoteports,bytes ORDERBY LIMITROW
Table Value Field: dstcount
Graph Query: select afirstseen ,srcadd ,srcport,dstcount as dstsavgsec,localports,bits_avgsec from (select FIRSTSEEN as afirstseen,srcadd as srcadd ,srcport,count(distinct(dstadd)) as dstcount,count(distinct(srcport)) as localports,count(distinct(dstport)) as remoteports,count(*) as records,cast(sum((bytes)*8)/(MODER/1000) as bigint) as bits_avgsec from netflow WHERECLAUSE group by afirstseen,srcadd ,srcport) as a where a.records>5 and a.localports<3 and a.dstcount>5 group by afirstseen,srcadd ,srcport,dstcount,localports,bits_avgsec order by srcadd,afirstseen asc
Graph Time Field: afirstseen
Graph Value Field: dstsavgsec
Graph Key Field(s) separated by __: srcadd__srcport

Sessions

Table Query: select srcadd as srcadd,srcport as srcport,dstadd as dstadd,dstport as dstport,appid as appid, cast((sum(bytes)*8) as bigint) as bits_total from netflow WHERECLAUSE group by srcadd,srcport,dstadd,dstport,appid ORDERBY LIMITROW
Table Value Field: bits_total
Graph Query: select FIRSTSEEN as afirstseen,srcadd as srcadd,srcport as srcport,dstadd as dstadd,dstport as dstport,appid as appid, cast(sum((bytes)*8)/(MODER/1000) as bigint) as bits_avgsec from netflow WHERECLAUSE group by afirstseen,srcadd,srcport,dstadd,dstport,appid order by srcadd,srcport,dstadd,dstport,appid,afirstseen
Graph Time Field: afirstseen
Graph Value Field: bits_avgsec
Graph Key Field(s) separated by __: srcadd__srcport__dstadd__dstport__appid

Sessions Flows

Table Query: select firstseen as firstseen,srcadd as srcadd,srcport as srcport,dstadd as dstadd,dstport as dstport,appid as appid,proto as proto, cast((sum(bytes)*8) as bigint) as bits_total from netflow WHERECLAUSE group by firstseen,srcadd,srcport,dstadd,dstport,appid,proto ORDERBY LIMITROW
Table Value Field: bits_total
Graph Query: select FIRSTSEEN as afirstseen,firstseen as firstseen,srcadd as srcadd,srcport as srcport,dstadd as dstadd,dstport as dstport,appid as appid,proto as proto, cast(sum((bytes)*8)/(MODER/1000) as bigint) as bits_avgsec from netflow WHERECLAUSE group by afirstseen,firstseen,srcadd,srcport,dstadd,dstport,appid,proto order by firstseen,srcadd,srcport,dstadd,dstport,appid,proto,afirstseen
Graph Time Field: afirstseen
Graph Value Field: bits_avgsec
Graph Key Field(s) separated by __: firstseen__srcadd__srcport__dstadd__dstport__appid__proto

Sessions With Ints

Table Query: select srcadd as srcadd,srcport as srcport,inif as inif,dstadd as dstadd,dstport as dstport,outif as outif,appid as appid, cast((sum(bytes)*8) as bigint) as bits_total from netflow WHERECLAUSE group by srcadd,srcport,inif,dstadd,dstport,outif,appid ORDERBY LIMITROW
Table Value Field: bits_total
Graph Query: select FIRSTSEEN as afirstseen,srcadd as srcadd,srcport as srcport,inif as inif,dstadd as dstadd,dstport as dstport,outif as outif,appid as appid, cast(sum((bytes)*8)/(MODER/1000) as bigint) as bits_avgsec from netflow WHERECLAUSE group by afirstseen,srcadd,srcport,inif,dstadd,dstport,outif,appid order by srcadd,srcport,inif,dstadd,dstport,outif,appid,afirstseen
Graph Time Field: afirstseen
Graph Value Field: bits_avgsec
Graph Key Field(s) separated by __: srcadd__srcport__inif__dstadd__dstport__outif__appid

Subnet Class A By Dest

Table Query: select dstadd-modulus(dstadd,16777216) as dstsubneta, cast((sum(bytes)*8) as bigint) as bits_total from netflow WHERECLAUSE group by dstsubneta ORDERBY LIMITROW
Table Value Field: bits_total
Graph Query: select FIRSTSEEN as afirstseen,dstadd-modulus(dstadd,16777216) as dstsubneta, cast(sum((bytes)*8)/(MODER/1000) as bigint) as bits_avgsec from netflow WHERECLAUSE group by afirstseen,dstsubneta order by dstsubneta,afirstseen
Graph Time Field: afirstseen
Graph Value Field: bits_avgsec
Graph Key Field(s) separated by __: dstsubneta

Subnet Class A By Source

Table Query: select srcadd-modulus(srcadd,16777216) as srcsubneta, cast((sum(bytes)*8) as bigint) as bits_total from netflow WHERECLAUSE group by srcsubneta ORDERBY LIMITROW
Table Value Field: bits_total
Graph Query: select FIRSTSEEN as afirstseen,srcadd-modulus(srcadd,16777216) as srcsubneta, cast(sum((bytes)*8)/(MODER/1000) as bigint) as bits_avgsec from netflow WHERECLAUSE group by afirstseen,srcsubneta order by srcsubneta,afirstseen
Graph Time Field: afirstseen
Graph Value Field: bits_avgsec
Graph Key Field(s) separated by __: srcsubneta

Subnet Class B By Dest

Table Query: select dstadd-modulus(dstadd,65536) as dstsubnetb, cast((sum(bytes)*8) as bigint) as bits_total from netflow WHERECLAUSE group by dstsubnetb ORDERBY LIMITROW
Table Value Field: bits_total
Graph Query: select FIRSTSEEN as afirstseen,dstadd-modulus(dstadd,65536) as dstsubnetb, cast(sum((bytes)*8)/(MODER/1000) as bigint) as bits_avgsec from netflow WHERECLAUSE group by afirstseen,dstsubnetb order by dstsubnetb,afirstseen
Graph Time Field: afirstseen
Graph Value Field: bits_avgsec
Graph Key Field(s) separated by __: dstsubnetb

Subnet Class B By Source

Table Query: select srcadd-modulus(srcadd,65536) as srcsubnetb, cast((sum(bytes)*8) as bigint) as bits_total from netflow WHERECLAUSE group by srcsubnetb ORDERBY LIMITROW
Table Value Field: bits_total
Graph Query: select FIRSTSEEN as afirstseen,srcadd-modulus(srcadd,65536) as srcsubnetb, cast(sum((bytes)*8)/(MODER/1000) as bigint) as bits_avgsec from netflow WHERECLAUSE group by afirstseen,srcsubnetb order by srcsubnetb,afirstseen
Graph Time Field: afirstseen
Graph Value Field: bits_avgsec
Graph Key Field(s) separated by __: srcsubnetb

Subnet Class C By Dest

Subnet Class C By DestTable Query: select dstadd-modulus(dstadd,256) as dstsubnetc, cast((sum(bytes)*8) as bigint) as bits_total from netflow WHERECLAUSE group by dstsubnetc ORDERBY LIMITROW
Table Value Field: bits_total
Graph Query: select FIRSTSEEN as afirstseen,dstadd-modulus(dstadd,256) as dstsubnetc, cast(sum((bytes)*8)/(MODER/1000) as bigint) as bits_avgsec from netflow WHERECLAUSE group by afirstseen,dstsubnetc order by dstsubnetc,afirstseen
Graph Time Field: afirstseen
Graph Value Field: bits_avgsec
Graph Key Field(s) separated by __: dstsubnetc

Subnet Class C By Source

Subnet Class C By SourceTable Query: select srcadd-modulus(srcadd,256) as srcsubnetc, cast((sum(bytes)*8) as bigint) as bits_total from netflow WHERECLAUSE group by srcsubnetc ORDERBY LIMITROW
Table Value Field: bits_total
Graph Query: select FIRSTSEEN as afirstseen,srcadd-modulus(srcadd,256) as srcsubnetc, cast(sum((bytes)*8)/(MODER/1000) as bigint) as bits_avgsec from netflow WHERECLAUSE group by afirstseen,srcsubnetc order by srcsubnetc,afirstseen
Graph Time Field: afirstseen
Graph Value Field: bits_avgsec
Graph Key Field(s) separated by __: srcsubnetc

Subnet Class C Destination By Dest IP Count

Table Query: select dstadd-modulus(dstadd,256) as dstsubnetc,count(distinct(dstadd)) as dstcount from netflow WHERECLAUSE group by dstsubnetc ORDERBY LIMITROW
Table Value Field: dstcount
Graph Query: select FIRSTSEEN as afirstseen, dstadd-modulus(dstadd,256) as dstsubnetc,cast((count(distinct(dstadd))) as bigint) as dstcount from netflow WHERECLAUSE group by afirstseen,dstsubnetc order by dstcount,afirstseen asc
Graph Time Field: afirstseen
Graph Value Field: dstcount
Graph Key Field(s) separated by __: dstsubnetc


Subnet Class C Source By Source IP Count

Table Query: select srcadd-modulus(srcadd,256) as srcsubnetc,count(distinct(srcadd)) as srccount from netflow WHERECLAUSE group by srcsubnetc ORDERBY LIMITROW
Table Value Field: srccount
Graph Query: select FIRSTSEEN as afirstseen, srcadd-modulus(srcadd,256) as srcsubnetc,cast((count(distinct(srcadd))) as bigint) as srccount from netflow WHERECLAUSE group by afirstseen,srcsubnetc order by srccount,afirstseen asc
Graph Time Field: afirstseen
Graph Value Field: srccount
Graph Key Field(s) separated by __: srcsubnetc

TCP Flags

Table Query: select flags as flags, cast((sum(bytes)*8) as bigint) as bits_total from netflow WHERECLAUSE group by flags ORDERBY LIMITROW
Table Value Field: bits_total
Graph Query: select FIRSTSEEN as afirstseen,flags as flags, cast(sum((bytes)*8)/(MODER/1000) as bigint) as bits_avgsec from netflow WHERECLAUSE group by afirstseen,flags order by flags,afirstseen
Graph Time Field: afirstseen
Graph Value Field: bits_avgsec
Graph Key Field(s) separated by __: flags

Traffic Grou