Skip to main content
Version: 6.3

General Settings

EF_PROCESSOR_ENRICH_TOTALS_IF_NO_DELTAS

The vast majority of flow exporters provide byte and packet quantities as DELTA values. This refers to the quantity since the last record for the flow was reported. However some exporters will provide these quantities only as TOTAL values, referring to the quantity over the entire lifetime of the flow. Examples of such exporters are Cisco "Netflow Lite" (e.g. IE4000 series) and some Juniper MX-series when sending IPFIX.

In cases where the exporter sends ONLY totals, it may still be desired to use these values to populate flow.bytes and flow.packets. The idea being that "something is better than nothing". When this option is set to true, total quantities will be used if they are available and when delta quantities are not.

danger

Total quantities can be problematic for many datastores. A simple sum of total values across multiple records within a time window will not produce an accurate quantity, as is it does with delta values. As a result long-lived flows may over-report bytes and packets values if total values are used.

  • Valid Values
    • true, false
  • Default
    • false