General Settings
EF_FLOW_DECODER_ENRICH_DROP_FIELDS
This setting allows for a comma-separated list of fields that are to be removed from all records. The fields are dropped after all enrichment and PRIOR to the records being sent to the enabled outputs.
The conversion from the default CODEX schema to alternate schemas, e.g. Elastic's ECS or Splunk's CIM, happens within the respective outputs. As fields are drop PRIOR to the outputs, CODEX field names must be used to configure this option.
- Valid Values
- any CODEX-schema field names, comma-separated
- Example
flow.export.sysuptime,flow.export.version.ver,flow.start.sysuptime,flow.end.sysuptime,flow.seq_num
- Default
''
EF_FLOW_DECODER_ENRICH_TOTALS_IF_NO_DELTAS
The vast majority of flow exporters provide byte and packet quantities as DELTA values. This refers to the quantity since the last record for the flow was reported. However some exporters will provide these quantities only as TOTAL values, referring to the quantity over the entire lifetime of the flow. Examples of such exporters are Cisco "Netflow Lite" (e.g. IE4000 series) and some Juniper MX-series when sending IPFIX.
In cases where the exporter sends ONLY totals, it may still be desired to use these values to populate flow.bytes and flow.packets. The idea being that "something is better than nothing". When this option is set to true, total quantities will be used if they are available and when delta quantities are not.
Total quantities can be problematic for many datastores. A simple sum of total values across multiple records within a time window will not produce an accurate quantity, as is it does with delta values. As a result long-lived flows may over-report bytes and packets values if total values are used.
- Valid Values
true,false
- Default
false