Using UNUM Insight Analytics Flow Search Features


UNUM Insight Analytics Flow provides a powerful search engine with a simple query syntax designed to isolate and filter specific flows among millions in a fraction of a second.


It has the following features:


  • Powerful query syntax to filter flow metadata information based on: field-based exact matches, regular expressions, ranges, Boolean operators.
  • Selected views from the Connection Dashboard.
  • IP Geolocation for Client and Servers, with custom extension to place on map devices across a large private network.
  • Aggregated flow stats: duration, latency, total bytes per connection.
  • Extensive “time machine” with absolute or relative year -month-day-hour-minute-second granularity.
  • Detailed flow table consisting of over 30 metadata fields associated with each flow.


The UNUM Insight Analytics Flow Search page allows you to search the database using custom text queries.


You enter the text query in the search field, and then click the magnifying glass icon to execute the query.


When data is available, the Search dashboard updates and the records matching the query are displayed in the lower part of the search page.


Queries may be executed on any combination of following fields (case sensitive):


Field Name

Example 1

Notes

vnet:<string>

vnet:"prod"


vlan:<number>

vlan:24


vxlan:<number>

vxlan:1000


switchName:<name>

switchName:"eta"


srcSwitchPort:<number>

srcSwitchPort:40


dstSwitchPort:<number>

dstSwitchPort:46


etherType:<number>

etherType:2048

IPv4

srcMac:<string>

srcMac:"4c:8d:79:eb:95:c2"


dstMac:<string>

dstMac:"00:00:5e:00:01:0a"


srcIp:<string>

srcIp:"10.20.100.100"


dstIp:<string>

dstIp:"216.58.192.34"


app:<string>

app:"https"

app:"ftp-control"

Also dstPort:<number> as in dstPort: [20 TO 21]

dscp:<number>

dscp:0


proto:<number>

proto:6

TCP

curState:<string>

curState:"SYN"

Also "FIN", "EST", "RST"

dur:<number>

dur:50


latency:<number>

latency:1000000

Time is in microseconds

startedTimeStr:<string>

startedTimeStr:"1456346059000"

Unix time 1456346059 = Wed, 24 Feb 2016 20:34:19 GMT (*)

endedTimeStr:<string>

endedTimeStr:"1456346159000"

Unix time 1456346159 = Wed, 24 Feb 2016 20:35:59 GMT (*)

throughput:<number>

throughput:4.5


ibytes:<number>

ibytes:0


obytes:<number>

obytes:1000


totalBytes:<number>

totalBytes:5000000


age:<number>

age:7


fabricName:<string>

fabricName:"prod"



Insight Analytics Flow Search - Search Fields

On the Search page, you query a specific subset of transactions from the selected time frame. The query syntax allows Boolean operators, wildcards, and field filtering. For example, to search for HTTP redirects, use the syntax:


http AND http.code: 302.

String Queries


A query may consist of one or more words or a phrase.


A phrase is a group of words surrounded by quotation marks, such as “test search”.


To search for all HTTP requests to a specific domain, use “mydomain.com” in the search field.



Informational Note: To search for an exact string, you need to wrap the string in double quotation marks. Without quotation marks, the search in the example matches any documents containing any of the words my, domain, or com.



Field-based Queries


You also search for specific fields in the database. To view HTTP transactions, for example, use the query:


type: http.

Regexp Queries


The Search page also supports regular expressions for filters and expressions. For example, to search for all HTTP responses with JSON as the returned value type, use the query:


http.content_type: *json.

Boolean Queries


Boolean operators such as AND, NOT, and OR, allow you to combine multiple sub-queries through logic operators.



Informational Note: Capitalize all Operators such as AND, OR, and NOT.



To search for all VLANs except VLAN 0, use the query NOT vlan: 0.


Parentheses are also supported to group sub-queries. To search for all apps connected on Friday with latency of 10, use the following query:


(app: http AND dayOfweek: 6-Fri) AND latency: [0 TO *]


The text query follows a simple syntax as in the following examples:  


Data Query Syntax

Explanation

*

wildcard to select everything, or to indicate "from" any value, or "up to" any value

NOT vlan:24

Exclude VLAN id 24

srcSwitchPort:[40 TO 45]

Include input port 40 to 45

dstSwitchPort:{9 to 16}

Include output port 10 to 15

srcSwitchPort:[10 TO 20] AND dstSwitchPort:

{9 TO 16}

Input port 10 to 20 and output port 10 to 15

srcSwitchPort:[10 TO 20] OR dstSwitchPort:

{9 TO 16}

Input port 10 to 20 or output port 10 to 15

srcHostname: "fc-w550s" AND app: "ssh"

Connections from host fc-w550s using ssh

startedTimeStr: "1456346059000" TO "1456346159000"

Connections between Wed, 24 Feb 2016 20:34:19 GMT and Wed, 24 Feb 2016 20:35:59 GMT

NOT startedTimeStr: "1456346059000" TO "1456346159000"

Exclude the connections in same interval

app:"ssh" AND NOT startedTimeStr: "1456346059000" TO "1456346159000"

Connections using ssh outside given interval

latency:[1000000 TO *] AND app:"LDAP"

Connections to LDAP server that took 1 second or more to be established

totalBytes:[5000000 TO *]

Connection with 5 Million bytes data transfer or more


Insight Analytics Flow Search Syntax Examples



Informational Note: All syntax above is case sensitive.