FAQ: Instead of individual IP’s the table shows as networks

Learn how to change the frequency and aggregation of NetFlow data for real-time or long-term.

NOTE: Network Segmentation will change default aggregation rules.

FAQ: Instead of individual IP’s the table shows as networks

Q: I see the data…but when I go to view the Flows->Business Group->IP address->top talkers S-D … instead of individual IP’s…the table Is showing up as networks (example: 10.0.0.0 , instead of 10.0.1.x, 10.0.11.x ,etc)

A: This occurs because of data collection tuning rules mainly for Long-Term but also to reduce data spaminess.

On the left menu:
  • * Click on “Configuration”, “Data Collection Tuning” and “Rule Policy”.
    * Double click each line ie one for Real-Time and one for Long-Term.
    • -- By default Real-Time has all IP retained as it is a realtime performance element of DigiToll CySight, but as Long-Term is for long-term IP’s are currently rolled up to the structure set in “Configuration”, “Business Groups”, “Networks”.

      -- If you want every IP in Long-Term then simply remove the Long-Term rollup rules and restart. This will increase records retained and may impact Long-Term query performance depending on your hardware specification.

      -- A secondary rule exists for Real-Time that will cause the Port to be aggregated to the known 'Selected" Ports range if the number of flows exceeds 100000 flows per hour over the last 10 minutes (approx 16666 records per ten minute interval).

      Note: When you change the default rule set, please be aware that the default rule set can be overwritten by changing the 'Selected Port' or the Network groupings. To retain your own rules please create a ruleset and attach it to the Device Group to ensure your rules will not be overwritten.