FlowFalcon View Editor

View List

The view list displays the following information.

• Default - Displays next to the view that is used by default for quick chain reports.

• Name - Displays the view name.

• Category - Displays the category name to which the view is a member.

• Aggregated - Displays Yes for views that use aggregated flow data or displays nothing for views that use raw flow data.

• Enabled - Displays for views that are enabled for use in reports or displays for views that do not appear in the list of views for which you can create a report.

Manage FlowFalcon Views

SevOne NMS provides a starter set of FlowFalcon views to enable you to create FlowFalcon reports right out of the box and to help create FlowFalcon views that are specific to your network.

Click on a view in the list to populate the View Properties section and the Flow Fields sections on the right with the flow template fields that are available to add to the view and the flow template fields that are in the view.

• # Devices - Displays the number of devices that send flow template data that could be used by the FlowFalcon view. Data from these devices could appear in a FlowFalcon report if you use this FlowFalcon view to generate the report.

• # Devices - Displays the number of devices that do not send flow template data that the view supports.

Click or to display the Supported Devices pop-up that lists the name and IP Address of the devices that send data that the view supports and the names of the devices that do not send flow template data that appears in the view.

1. Either click Add above the view list or select a view in the list to manage FlowFalcon views.

2. In the View Name field, enter the view name.

3. Click the Category drop-down.

   • Select the category in which to include the view.

   • Select New Category and enter the category name in the Category Name field to add a category.

4. Select a Default Sort option.

   • Select Ascending to sort data from low value to high value.

   • Select Descending to sort data from high value to low value.

5. Select the Aggregated Data check box to create an aggregated view that uses aggregated flow data. At present, there is a limit of 10 aggregated views your appliance can support. Leave clear to create a view that uses raw flow data.

   When you clear the check box in edit workflows, a message informs you that any aggregated data associated with the view will be deleted. Click OK on the message but be aware that when you click Save, all aggregated data that is associated with the view is deleted.

6. Select the Enabled check box to enable users to use the view in FlowFalcon reports.

7. The Flow Fields section enables you to select the flow template fields to include in the view. Filters enable you to limit the fields that appear in the Available Fields list.

   • Click the Device Filter drop-down and select the device from which to display fields.

   • Click the Template Filter drop-down to further filter the list to the fields in a specific template for the device you select in the previous filter.

   • Click the Flags drop-down and select to display only Keys, only Metrics, or both Keys and Metrics.

8. Move fields from the Available Fields list to the Fields In View list to include fields in the view. The fields display in the report in the sequence in which they appear in the Fields In View list and the first metric type field is the field on which the report sorts.

   Under Fields in View, you can select multiple aggregation types. When you click on the Aggregation Type, you are presented with a drop-down list with Sum, Average, Average Non-zero, or Max options. You can choose one or more aggregation types from this drop-down list which is obtained when you click on the aggregation type of the metric already selected.

   Under Available Fields, the following field names have the Flags column set to Metrics ( ) instead of Key ( ). However, if the FlowFalcon View is using the field as a Key then, it will not change the Flags column for that particular field name from Keys to Metrics.

   • TCP ACK Total

   • TCP FIN Total

   • TCP PSH Total

   • TCP RST Total

   • TCP SYN Total

   • TCP URG Total

9. Click one of the following.

   • When you edit a view, click Save to overwrite the original view with the changes you make. This deletes any existing aggregated data for an aggregated view.

   • Click Save as New to create a copy of the view. This preserves aggregated data for the original view when you edit an aggregated view. (The new aggregated view starts out with no aggregated data.)

   • When you edit a view, click Delete to delete the view and any associated aggregated data.

Source Templates and Options Templates

Flow template data varies depending upon the device. Most flow devices send source templates that contain fields from which performance metrics can be directly polled. Flow v9 and v10 send additional options template fields that are more descriptive yet contain valuable metadata on which to report.

Select a device in the Flow Devices list to display the source templates the device sends on the Source Devices tab and the options templates the device send on the Options Templates tab. The following information appears in the Templates section on both tabs.

The Source Templates from the selected flow device list and the Options Templates from the selected flow device list appears on the left side of the tab.

• ID – Displays the field identifier sent from the device with the flow template.

• Source Port – Displays the port on the device from which the flow template was sent.

• Version – Displays the flow version number.

• Last Seen – Displays the last time the template was received from the flow device.

Select a template in the list to display the template fields that can be used in FlowFalcon views for FlowFalcon reports.

• Flags:

  • - Flow field is a key.

  • - Flow field is a metric.

  • - You can edit the field.

  • - You cannot edit the field.

• Enterprise ID - Displays the identification of the enterprise (typically the manufacturer) that creates the field identifier.

• Field ID - Displays the flow template field identifier.

• Field - Displays the field name.

• Order - Displays the sequence location of the field within the flow template.

• Length - Displays the size of the field in bytes.
  
  

Edit Fields

When a field displays in the Flags column, you can perform the following steps to edit the field. This workflow varies from field to field. Steps in the following workflow appear when applicable and are disabled when they cannot be edited.

1. Click in the Actions column to display the Flow Template Field – Configure As Key/Metric pop-up.

2. In the Name field, edit the field name.

3. Select one of the following:

   1. Select Key to define the field as a key.

      Example

      

      • Click the Field Type drop-down. Select the appropriate field type from the drop-down. The drop-down options depend on the key length.

        Key Length	Field Types
        1	Direction, Protocol, String, Number
        2	Port, Interface, String, Number
        4	AS Path, IP, MPLS Tag, String, Number
        6	MAC, String
        8	String, Number
        16	IP Hybrid, IPv6, String
        32	String
        128	AS Path, String If field is a variable-length field, then String is the only option available. And, there is no drop-down available for this scenario.
        256	String

      • Select one of the following if field type String or Number is chosen.

        • Select Without Lookup to not use a lookup table for the field.

        • Select Lookup Table to use a lookup table for the field. If you select this option perform the following steps.

          1. Click the Lookup Table drop-down.

             • Select the lookup table for the field to use.

             • Select New Lookup Table and enter the lookup table name in the Name field to define a new lookup table.

          2. Click Add Code or click to add or edit a code in the lookup table.

          3. In the Code field, enter the lookup table code.

          4. In the Value field, enter the code value.

          5. Click Update to save the code.

          6. Repeat to add additional codes to the lookup table.
             
             

      If an editable field has a length of 1, 2, 4, or 8, it can also be configured as a Metric.

   2. Select Metric to define the field as a metric.

      Example

      

      • Click Measured as drop-down to choose how to measure the metrics.

      • Click Display as drop-down to choose how to display the metrics.

      • Click the Default Aggregation drop-down and select the aggregation to use by default.

4. Click Save.

   All aggregated data for every FlowFalcon view that uses the field you edit is deleted.

Synthetic Key Fields

You can combine options template fields into synthetic key fields. You create synthetic key fields on the Options Templates tab and they then appear in the list of Source Template fields on the Source Templates tab. Each options template can have multiple synthetic key field.

1. In the Flow Devices section, select a device to display its source templates in the Templates: Source & Options section.

2. Select the Options Templates tab.

3. In the Options Templates from the selected flow device section, select a template row to display the selected options template's fields in the Options Template Fields section.

   All fields must be configured before you can proceed to the next step. See the Edit Fields section above to configure any fields that display Not Configured.

4. In the Options Templates from the selected flow device section Actions column, click to display the Synthetic Key Field Editor pop-up.

5. Click the Synthetic Key drop-down and select an existing synthetic key from the list.

   Synthetic Key field is available only when synthetic keys exist.

6. In the Display Name field, enter the name to display for the field in FlowFalcon reports.

7. Click the Delimiter drop-down and select the delimiter to display between the fields you will add to the synthetic field.

8. Multiple synthetic keys can be created when the same Resolve Key is added one at a time. Drag a field from the Available Fields section into the Resolve Key field. The Resolve Key must be a field that exists in the source template and becomes the synthetic field into which metadata is parsed. The Resolve Key field must be a String field type.

   

   Or, you may drag one or more fields from the Available Fields section into the Resolve Key field. The Resolve Key must be a field that exists in the source template and becomes the synthetic field into which metadata is parsed. If more than one field is added, the fields are separated by a comma. The Resolve Key field must be a String field type.
   

   

   
   This associates the Options Templates and the Source Templates data.

9. Drag fields from the Available Fields section into the Expression field to combine the available fields into one synthetic field that displays in reports. The Expression accepts fields that have the Generic storage type and the String storage type.
   

   Resolve Key and Expression fields must be different.

10. Select the Enabled check box to make the field available for inclusion in FlowFalcon views.

11. If you want to delete a row under Synthetic Keys, place your cursor on the row you want to delete and click under Actions column.

12. To modify an existing Synthetic Key, modify the field(s) and click Save. This will overwrite the existing key. To save a new key, click Save as New.

13. When done, click Close.