Production Network Monitoring

This chapter describes the dashboards provided on the Production Network tab, which shows traffic and events on the production network interfaces connected to the DANZ Monitoring Fabric. This chapter includes the following sections:

sFlow®

Click the Fabric option; it displays the sFlow®* dashboard by default. It summarizes information from the sFlow messages sent to the Arista Analytics server from the DANZ Monitoring Fabric controller or other sFlow agents. This dashboard provides the following panels:
  • Top Sources
  • Source Port
  • Top Destinations
  • Destination Port
  • Traffic over time
  • Flow by Filter Interface
  • Flow by Device & IF
  • Count sFlow vs. Last Wk
  • Flow QoS PHB
  • Flow Source
  • Flow Destination
  • sFlow MTU Distribution
  • Flows by Time

sFlow and VXLAN

The sFlow dashboard shows both outer and inner flows of VXLAN packets based on the VNI number of the VXLAN packet. For all the inner flows of a particular VXLAN packet, first filter by VXLAN packets on the App L4 Port window to display all VXLAN packets. Identify the VXLAN packet you are interested in from the Flows by Time window. Expand the row, note the packet's VNI number, then remove the VXLAN filter and filter based on the VNI number. It will show both the outer flow of the VXLAN packet and all the inner flows associated with that VXLAN packet.

NetFlow and IPFIX

The system displays the following dashboard by clicking NetFlow:
Figure 1. Production Network > NetFlow Dashboard

Configure the NetFlow collector interface on the Arista Analytics Node to obtain NetFlow packets, as described in the Setting up the NetFlow Collector on the Analytics Node section.

The NetFlow dashboard summarizes information from the NetFlow messages sent to the Arista Analytics Node from the DANZ Monitoring Fabric controller or other NetFlow flow exporter and provides the following panels:
  • nFlow Source IP (inner) Destination IP (outer)
  • NF over Time
  • nFlow Live L4 Ports
  • nFlow by Filter Interface
  • nFlow by Production Device & IF
  • NF by QoS PHB
  • NF by DPI App Name
  • NF Top Talkers by Flow
  • NF Detail
Note: To display the fields in the nFlow by Filter Interface panel for NetFlow V5 and IPFIX generated by the DMF Service Node appliance, records-per-interface, and records-per-dmf-interface knobs must be configured in the DANZ Monitoring Fabric controller.
Starting from the BMF-7.2.1 release, the Arista Analytics Node can also handle NetFlow V5/V9 and IPFIX traffic. All of the flows represent a Netflow index. From the NetFlow Dashboard, filter rules apply to display specific flow information.
Figure 2. NetFlow Version 5
Figure 3. NetFlow Version 9
Figure 4. NetFlow Version 10
Note:
  1. The Arista Analytics Node cluster listens to NetFlow v9 and IPFIX traffic on UDP port 4739. NetFlow v5 traffic learn on UDP port 2055.
  2. Refer to DANZ Monitoring Fabric 8.4 User Guide for NetFlow and IPFIX service configuration.
  3. Starting from the DMF-8.1.0 release, Analytics Node capability augments in support of the following Arista Enterprise-Specific Information Element IDs:
    • 1036 -AristaBscanExportReason
    • 1038 -AristaBscanTsFlowStart
    • 1039 -AristaBscanTsFlowEnd
    • 1040 -AristaBscanTsNewLearn
    • 1042 -AristaBscanTagControl
    • 1043 -AristaBscanFlowGroupId

Consolidating Netflow V9/IPFIX records

You can consolidate NetFlow V9 and IPFIX records by grouping those with similar identifying characteristics within a configurable time window. This process reduces the number of documents published in Elasticsearch, decreases disk usage, and improves efficiency. This is particularly beneficial for long flows, where consolidations as high as 40:1 have been observed. However, enabling consolidation is not recommended for environments with low packet flow rates, as it may cause delays in the publication of documents.

The following configuration sets the load-balancing policy of Netflow/IPFIX traffic among nodes in DMF Analytics. 
cluster:analytics# config
analytics(config)# analytics-service netflow-v9-ipfix
analytics(config-controller-service)# load-balancing policy source-hashing
The two settings are:
  • Source hashing: forwards packets to nodes statistically assigned by a hashtable of their source IP address. Consolidation operations are performed on each node independently in source hashing.
  • Round-robin: distributes the packets equally between the nodes if source-hashing results in significantly unbalanced traffic distribution. Round-robin is the default behavior.
Note: Configure the round-robin to lighten the load on the leader node when flow rate is higher than 10k/sec in cluster setup.
Note:This configuration doesn’t apply to single-node deployments.

Kibana Setup

To perform the Kibana configuration, select the System > Configuration tab on the Fabric page and open the Analytics Configuration > netflow_stream panel:

Figure 5. Kibana setup
For editing the netflow stream, go to the following tab:
Figure 6. Edit the netflow stream
There are three required settings:
  • enable: turn consolidation on or off.
  • window_size_ms: adjust window size using the rate of Netflow V9/IPFIX packets per second the analytics node receives. The default window size is 30 seconds but measured in milliseconds.
  • mode: There are three supported modes:
    • ip-port: records with the same source IP address, destination IP address, and IP protocol number. It also consolidates the lower numerical value of the source or destination Layer 4 port number with others.
    • dmf-ip-port-switch:records from common DMF Filter switches that meet ip-port criteria.
    • src-dst-mac: records with the same source and destination MAC addresses.
      Note:It uses the mode when Netflow V9/IPFIX templates collect only Layer 2 fields.
Starting in DMF-8.5.0, the configuration mentioned above is set under a “consolidation JSON”object as follows:
Figure 7. Consolidating Netflow

Consolidation Troubleshooting

If consolidation is enabled but does not occur, Arista Networks recommends creating a support bundle and contacting Arista TAC.

Load-balancing Troubleshooting

If there are any issues related to load-balancing, Arista Networks recommends creating a support bundle and contacting Arista TAC.

NetFlow and IPFIX Flow with Application Information

This feature of Arista Analytics combines Netflow and IPFIX records containing application information with Netflow and IPFIX records containing flow information.

This feature improves the data visibility per application by correlating flow records with applications identified by the flow exporter.

This release supports only applications exported from Arista Networks Service Nodes. In a multi-node cluster, you must configure load balancing in the Analytics Node CLI command.

Configuration

In a multi-node Analytics cluster, set the load-balancing policy of Netflow/IPFIX traffic to source-hashing as the round-robin policy may cause application information to be missing from the resulting flow documents in ElasticSearch. 
analytics# config
analytics(config)# analytics-service netflow-v9-ipfix
analytics(config-an-service)# load-balancing policy source-hashing
Note: This configuration doesn’t apply to single-node deployments.

Kibana Configuration

To perform the Kibana configuration, select the System > Configuration tab on the Fabric page and open the Analytics Configuration > netflow_stream visualization.
Figure 8. Dashboard - Netflow stream configuration
Add the app_id configuration object.
Figure 9. Edit - Netflow stream
In the app_id configuration object, it requires the following setting:
  • add_to_flows: Enables or turns off the merging feature.

ElasticSearch Documents

Three fields display the application information in the final NetFlow/IPFIX document stored in ElasticSearch:

  • appScope: Name of the NetFlow/IPFIX exporter.
  • appName: Name of the application. This field is only populated if the exporter is NTOP.
  • appID: Unique application identifier assigned by the exporter.

Troubleshooting

If merging is enabled but does not occur, Arista Networks recommends creating a support bundle and contacting Arista TAC.

Limitations

  • Some flow records may not include the expected application information when configuring round-robin load balancing of Netflow/IPFIX traffic. Arista Networks recommends configuring the source-hashing load-balancing policy and sending all Netflow/IPFIX traffic to the Analytics Node from the same source IP address.
  • Application information and flow records are correlated only if the application record is available before the flow record.
  • Arista Networks only supports collecting application information from Netflow/IPFIX exporters: NTOP, Palo Alto Networks firewalls, and Arista Networks Service Node.
  • This feature isn’t compatible with the consolidation feature documented in the Consolidating Netflow V9/IPFIX records. When merging with application information is enabled, consolidation must be disabled.

NetFlow and sFlow Traffic Volume Upsampling

Arista Analytics can upsample traffic volume sampled by NetFlow V9/IPFIX and sFlow. This feature provides better visibility of traffic volumes by approximating the number of bytes and packets from samples collected by the NetFlow V9/IPFIX or sFlow sampling protocols. It gives those approximation statistics along with the ElasticSearch statistics. The feature bases the approximations on the flow exporter’s sampling rate or a user-provided fixed factor.

Note: When the rate of flow packets is low or for short flows, the approximations will be inaccurate.

The DMF 8.5.0 release does not support the automated approximation of total bytes and packets for Netflow V9/IPFIX. If upsampling is needed, Arista Networks recommends configuring a fixed upsampling rate.

NetFlow/IPFIX Configuration

To perform the Kibana configuration, select the System > Configuration tab on the Fabric page and open the Analytics Configuration > netflow_stream visualization.
Figure 10. Dashboard - Netflow IPFIX configuration
Figure 11. Edit - Netflow IPFIX
There is one required setting, upsample_byte_packet_factor, with two possible options:
  • Auto: This is the default option. DMF 8.5.0 does not support automated upsampling for Netflow V9/IPFIX. Arista Networks recommends configuring an integer if upsampling is needed.
  • Integer: Multiply the number of bytes and packets for each collected sample by this configured number.

sFlow Configuration

To perform the Kibana configuration, select the System > Configuration tab on the Fabric page and open the Analytics Configuration > sFlow visualization.
Figure 12. Dashboard - sFlow configuration
Figure 13. Edit - sFlow
There is one required setting, upsample_byte_packet_factor, with two possible options:
  • Auto: Approximate the number of bytes and packets for each collected sample based on the collector’s sampling rate. Auto is the default option.
  • Integer: Multiply the number of bytes and packets for each collected sample by this configured number.

Dashboards

NetFlow Dashboard
The NetFlow dashboard is on the Production Network > NetFlow tab on the Fabric page. The following visualization will display upsampled statistics:
  • NF over Time
  • NF Top Talkers by Flow
Figure 14. NF Detail visualization
The DMF 8.5.0 release adds two new columns:
  • upsampledPacketCount: Approximate total count of packets for a flow.
  • upsampledByteCount: Approximate total count of bytes for a flow.
Note: In DMF 8.5.0, configuring upsampling to Auto, upsampledByteCount, and upsampledPacketCount will copy the bytes and packets column and display the values of bytes and packets in the graphs and tables of this dashboard.
sFlow Dashboard

The sFlow dashboard is on the Production Network > sFlow tab on the Fabric page. The Traffic over Time visualization will display upsampled statistics.

Figure 15. Flow by Time visualization

The newly added upsampledByteCount represents a flow's approximate total count of bytes.

Troubleshooting

Arista Networks recommends creating a support bundle and contacting Arista Networks TAC if upsampling isn’t working correctly.

TCPFlow

Click the TCPFlow tab to display the following dashboard.
Figure 16. Production Network > TCPFlow Dashboard

The information on the TCPFlow dashboard depends on TCP handshake signals and deduplicates. The Filter Interface visualization indicates the filter switch port where data is received. The switch description is specified in the Description attribute of each switch, configured on the DANZ Monitoring Fabric controller. Device & IF on this dashboard refers to the end device and depends on LLDP packets received.

Flows

Click the Flows tab to display the following dashboard.
Figure 17. Production Network > Flows Dashboard
The Flows Dashboard summarizes information from sFlow and NetFlow messages and provides the following panels:
  • All Flows Type
  • All Flows Overtime
  • All Flows Details

Filters & Flows

Click the Filters & Flows tab to display the following dashboard.
Figure 18. Production Network > Filters & Flows Dashboard

ARP

Click the ARP tab to display the following dashboard. This data correlates with the tracked host feature on the DANZ Monitoring Fabric controller. It shows all ARP data when you switch interface and production devices over time.
Figure 19. Production Network > ARP Dashboard

DHCP

Click the DHCP tab to display the following dashboard.
Figure 20. Production Network > DHCP Dashboard
Note: Operating systems on the network and data by filter interface and production device information are available.
The DHCP Dashboard summarizes information from analyzing DHCP activity and provides the following panels:
  • DHCP OS Fingerprinted
  • DHCP Messages by Filter Interface
  • DHCP Messages by Production Switch
  • Non-whitelist DHCP Servers
  • DHCP Messages Over Time
  • DHCP Messages by Type
  • DHCP Messages

DNS

Click the DNS tab to display the following dashboard.
Figure 21. Production Network > DNS Dashboard
The DNS Dashboard summarizes information from analyzing DNS activity and provides the following panels:
  • DNS Top Servers
  • DNS Top Clients
  • DNS By Filter Interface
  • DNS by Production Device & IF
  • DNS Messages Over Time
  • Unauthorized DNS Servers
  • DNS RTT
  • DNS All Messages
  • DNS RCode Distro
  • DNS QType Description
  • DNS Top QNames
Note: The query and response packet timestamps compute the DNS RTT value. If a query packet does not answer by a response packet within 180 seconds, then the RTT value is set to -1.

ICMP

Click the ICMP tab to display the following dashboard.
Figure 22. Production Network > ICMP Dashboard
The ICMP Dashboard summarizes information from analyzing ICMP activity and provides the following panels:
  • Top ICMP Message Source
  • ICMP by Filter Interface
  • Top ICM Message Dest
  • ICMP by Error Description
  • ICMP by Production Switch
  • ICMP Top Err Dest IPs
  • ICMP Top Err Dest Port Apps
  • ICMP Messages Over Time
  • ICMP Table
*sFlow® is a registered trademark of Inmon Corp.

Arista Analytics Basic Operations

This chapter uses Arista Analytics to monitor and analyze traffic and events in the monitoring fabric and the DANZ Monitoring Fabric controller. This chapter includes the following sections:

Overview

Arista Analytics provides a non-proprietary extensible UI that integrates DMF Recorder Nodes, DMF Service Nodes, and the DANZ Monitoring Fabric controlled using an SDN Controller. The system has an extensive library of visualization components and analytics to compose new dashboards and answer further questions as they arise. The Arista Analytics node/cluster answers questions that would otherwise require specialized applications, such as Application Data Management (ADM) or Intrusion Protection Management (IPM). The Analytics node/cluster creates a document for each packet received. It adds metadata regarding the context, including the time and the receiving interface, which ElasticSearch can use to search the resulting documents quickly and efficiently.

Flows Dashboard

The following figure shows the Flows dashboard when accessing Arista Analytics.
Figure 1. Production Network > Flows Dashboard
The left panel provides the following options to access Arista Analytics features:
  • Fabric: The home page for Analytics provides a series of tabs and sub-tabs.
  • Controller: Opens the DANZ Monitoring Fabric GUI on the Controller identified using the System > DMF Controller option.
  • Discover: Use predefined indices to filter and display specific events.
  • Visualize: Customize the graphics displays provided by Arista Analytics.
  • Dashboard: Displays dashboards for DANZ Monitoring Fabric events.
  • Timelion: Displays events and other results according to time series.

The Kibana documentation documents the Analytics GUI, and most of its features and operations based on ElasticSearch are available at the following URL:

https://www.elastic.co/guide/en/kibana/7.2/index.html

Kibana 7.2 is the version used for Arista Analytics version 7.3.

Arista Analytics Fabric View

The Arista Analytics Fabric view displays in the following three tabs:
  • Production Network: View information about the production network.
  • DMF Network: View information about the monitoring network.
  • System: Manage system configuration settings.

Each page contains panels with different functions and features. The network panels provide visualizations, such as pie charts, line graphs, or other graphic displays that reflect the current dashboard contents based on the specific query. The bottom panel lists all the events that match the current query. A pop-up window provides additional details about the selection when mousing over a panel.

Using Two-ring (by Production Switch) Pie Charts

Pie charts that display information by the production switch have an inner and outer ring, as shown in the following example.
Figure 2. Two-ring Pie Chart

When a second ring appears in a pie chart, click any segment in the inner ring, and the outer ring provides a summary of information about the selected segment.

For example, in the Tracked Hosts by Production Device & IF pie chart , the outer ring shows hosts tracked on each interface, while the inner ring summarizes the tracked hosts on each switch. Clicking on a segment for a specific switch on the inner ring filters the outer ring to show the tracked hosts for the interfaces on the selected switch.

Filtering Information on a Dashboard

Filter the events displayed on a dashboard by choosing an area on the dashboard. This action limits the information displayed on the dashboard to events similar to those selected. Click any pie chart slice to limit the display to the specific activity chosen. To change the color assigned to a specific protocol or other object, click the label on the list to the right of the chart.

Selecting the Time Range

To restrict the current content to events occurring in a specific period, click the mouse and drag it to surround the area on a time visualization, such as the Flows Over Time.
Figure 3. Selecting the Time Range
To select the time range or to change the default refresh rate, click the Time Range control in the upper right corner. The system displays the following dashboard.
Figure 4. Time Range Control
This dialog provides the following options for setting the time range:
  • Quick: Simple settings, such as Today, Last 1 hour, etc.
  • Relative: Time offsets from a specific time, including the current time.
  • Absolute: Set a range based on date and time.
  • Recent: Provides a list of recently used ranges that you can reuse.
Select the range from the options provided, and the panels and displays update to reflect the new date and time range. To change the auto-refresh rate, click the Auto-refresh control. The system displays the following dashboard.
Figure 5. Change Auto Refresh Rate

Select the refresh interval from the options provided. Click Start to disable the auto-refresh function.

Using the Search Field

The search field at the top of the dashboard filters the current displays by any text or numbers you type into the field.
Figure 6. Search Field
The green bars under the Search field show the currently applied filters. When the pointer is over a green bar, it displays icons that let you control the filter.
  • Enable/Disable filter
  • Pin/Unpin filter
  • Exclude/Include matches
  • Remove filter
  • Edit filter

The Action option in the upper right corner applies these actions to all the currently applied filters.

Click a segment on a pie chart for the appropriate filter; it automatically inserts into the Search field. To undo the filter, click the Remove filter icon.

To filter the information in the displays, enter the characters to filter the display in the search field. For example, for entering the first part of an IP address, it updates the displays to show only those IP addresses that match the characters entered. The following are some of the most helpful search filters:
  • IP address
  • Host name (requires DNS services)
  • Protocol, for example, HTTP, HTTPS, ICMP, and so forth
  • DMF interface name

To define complex queries using field names, which can be seen by scrolling and clicking on an event row. For example, on the sFlow®* dashboard, the query proto : TCP AND tags : ext displays all externally bound TCP traffic. OR NOT ( ) are also permitted in the expression. For more details about the supported search syntax, refer to the following URL:https://www.elastic.co/guide/en/elasticsearch/reference/current/query-dsl-query-string-query.html#query-string-syntax.

Search Performance Limitations

Refrain from executing a general query for 7 or 30 days. You should select a 7 or 30-day query with specific criteria, like querying a specific flow, filter interface, or DNS server.

To query NetFlow or sFlow for more extended periods, use the FLOW dashboard to determine the trend and then do a specific query, such as querying a specific flow or time, on the Netflow or sFlow dashboard.

For a great deal of NetFlow traffic, select one Analytics node only for NetFlow and another for other Analytics traffic.

Using Discover Mode

Select the Discover option in the left panel of the Analytics window, the system will display the following page.
Figure 7. Discover Mode

Use Discover mode to see the indices in the ElasticSearch database and identify the available data.

Managing Dashboards

Select the Dashboards option from the left panel on the Analytics window to manage dashboards. The system displays the following page.
Figure 8. Dashboard Mode
Refer to the Kibana documentation for details about creating and managing dashboards.https://www.elastic.co/guide/en/kibana/7.13/index.html
Note: Recommended Best Practices - Use the naming convention that suits your environment while creating a dashboard or saved objects. For example, select a prefix to identify the dashboard content, and then use the body of the dashboard name to determine the type of dashboard. For instance, in the above screenshots, it uses a naming pattern, prefixed with “ARISTA” and specifying type: dashboard allows a manageable set of things to appear to click or select all individually. Furthermore, exporting individual dashboards based on their type is a more appropriate option for easy tracking as modifications to a dashboard. Your dashboards should use only visualizations and searches you create for upgrades; do not depend on default objects that might change in the upgrade.

Custom Dashboards

Add or insert the custom dashboard by selecting the Dashboards option from the left panel on the Analytics window. The system displays the following page, which is the default dashboard:
Figure 9. Default Dashboard Mode
In the default dashboard, select the option to customize per your requirements.
Figure 10. Search for Dashboard
For the customization of the option on the dashboard, copy its ID as following.
Figure 11. Select the option and copy the ID
Note: Insert the ID into the dashboard in the same way as captured from the bar to work.
Figure 12. Setting custom Dashboard
Figure 13. Default Dashboard configuration
Open the menu to select the action.
Figure 14. Open the action menu
Select the Duplicate tab for the duplicate entries.
Figure 15. Duplicate the tab
Figure 16. Insert the name tag ID
Now, the dashboard shows the customization of the option selected by the user.
Figure 17. Selected option for the user

Mapping IP Address Blocks

Map an IP address or a range of addresses to a description, which searches for description text instead of the IP address. This feature identifies a specific group or organization sending or receiving traffic.

Complete the following steps to assign a single IP address or a block of IP addresses to a tool, group, or organization.

  1. Select System > Configuration and click the Edit control to the left of the IP Block section.
    Figure 18. Edit IP Blocks
  2. Copy an existing block by clicking on any square box along the left and select Duplicate from the pop-up menu.

    The duplicated block will be appended to the existing block list and assigned the next numerical sequence identifier.

  3. Scroll down to the end of the tags section to the numerical identifier assigned to the new block.
    Figure 19. Key Value Pairs
    It automatically copies the first four keys.. The purpose of each of these default keys is as follows.
    • Desc: A short descriptive text entry.
    • ASNum: Automatically populated with the BGP Autonomous Systems (AS) numbers for well-known networks.
    • VPC: Virtual Private Cloud (tenant), automatically populated with the VPCs used in an integrated Converged Cloud Fabric network.
    • Segment: Network segment within a Converged Cloud Fabric VPC.

    To identify a user, application, tool, group, or organization, use the Desc key. You can leave the other fields blank.

  4. Type a value for the Desc key in double quotation marks (“).
  5. (Optional) To define an additional key, select any key and choose Duplicate from the pop-up menu. Then, type over the existing value with the correct value for the new key.

    Existing dashboards use the default keys. The customized dashboards can use added key pairs. The fifth and sixth keys can be custom.

    These keys are added to the flow for the source and destination IPv4 address. For example, the source description would be sDesc and the destination description would be dDesc.
    Note: Remember to match values in the same order as the corresponding key positions.

Mapping DHCP to OS

DHCP signatures can map to known operating systems. These unique signatures are from fingerbank.org. As shown in the following image, several two-digit numbers are assumed signatures of each OS (derived from fingerbank.org).
Figure 20. Unique OS Signatures from fingerbank.org
Figure 21. OS Information Received through DHCP Signatures

Mapping Ports and Protocols

The Analytics Node maps typically used ports for their L4 applications and protocols. These protocols and ports can also be user-defined for custom application ports and custom protocols.
Figure 22. Edit Ports
Figure 23. Edit Protocols

SNMP Collector

SNMP collectors facilitate third-party NetFlow/IPFIX sources. The Analytics Node supports both SNMPv2 and SNMPv3.
Figure 24. SNMP Collector

Mapping OUI to Hardware

Map ARP Organizational Unique Identifiers (OUIs) for various hardware vendors.
Figure 25. OUIs of Various Hardware Vendors

Topic Indexer on Arista Analytics

Description

The Analytics Node (AN) incorporates a feature known as topic_indexer, designed to facilitate data ingestion from customer Kafka topics and its subsequent storage into Elasticsearch indices.

This process involves modifying field names and specifying the supported timestamp field during the ingestion phase. The renaming of field names enables the creation of dashboards used to visualize data across multiple streams, including DNS and Netflow.

The resulting indices can then be leveraged as searchable indices within the Kibana user interface, providing customers with enhanced search capabilities.

Implementation Details
  • Configure a stream job using topic_indexer. Access the setting via the Kibana dashboard in the analytics node.
  • Locate the topic_indexer configuration on the Fabric Dashboard: Analytics > Fabric > System > Analytics Configuration, as shown in the following screenshots.
  • Figure 26. Analytics > Fabric
  • Another view:
    Figure 27. System > Analytics Configuration
  • The design section shows the configuration for a topic
  • Figure 28. Node selection
Configuration
Kibana Configuration
  • To perform the topic_indexer configuration, select the System > Configuration > Fabric page and open the Analytics Configuration panel:
    Figure 29. System > Configuration
  • Figure 30. Topic_indexer configuration

Field Details

Each topic maps in JSON with the following fields:
  • topic: Kafka topic name; type string and is a mandatory field.
  • broker_address: Broker address(es), this is of type array; this will be of format [IPv4|hostname:Port number] and is a mandatory field.
  • consumer_group: This is an optional field; however, there is always a consumer group if not specified explicitly in the configuration. It is topic_name + index_name. Setting this field is particularly useful when ingesting multi-partitioned topics from the client's end.
  • index: A dedicated index name for the topic; type string. In Elastic Search (ES), it is created as topic_indexer_<index_name> and is a mandatory field.
  • field_group: An optional JSON field mapping to specify any column rename/format transformations. It specifies format for modifications to incoming data.
  • type: To set timestamp field as the type.
  • source_key: The source field name in the incoming data.
  • indexed_key: The name of the destination field inserted in the outgoing ES index.

    The indexed_key may be a @timestamp field of an ES index. If you do not specify a @timestamp field, topic_indexer automatically picks the time the message was received as the @timestamp of that message.

  • format: Data format for the field (ISO8601).

Standards and Requirements

Input fields naming convention:

  • Kafka allows all ASCII Alphanumeric characters, periods, underscores, and hyphens to name the topic. Intopic_indexer, legal characters include: a-z0-9\\._\\-
  • Note that the only restriction topic_indexer has is on capitalizing topic names. topic_indexer does not support case-sensitive names. By default, topic_indexer treats the name as a lowercase topic. Hence, topic names should be lowercase only.
  • All numeric names are also invalid field text.
Note: These conventions are valid for all other input types as well.

Examples of names:

Valid text:
  • my-topic-name
  • my_topic_name
  • itlabs.mytopic.name
  • topic123
  • 123topic
  • my-index-name
Invalid text:
  • myTopicName
  • ITLabs-Website-Tracker
  • 12435
  • MY-Index-name
Broker Address Format:
  • A broker address in Kafka comprises two values: IPv4 address and Port Number.
  • When entering the broker address, use the format: IPv4:PORT.

Application Scenario

Querying Across DataStream using runtime-fields

Use runtime fields when making complex changes beyond simply renaming a field, such as converting it from a string type to an IP address. After every change to a runtime field, issue a 
POST <stream-name>/_rollover
Note: These changes are not persistent. Reapply is a must after any restart of AN.
Use Case:
  • Cross-index visualization - two data streams that need cross-querying:
  • Figure 31. Cross index visualization
  • Step 1. To view the documents in these indexes, create an index pattern (e.g., topic*spend) in Kibana.
  • Step 2. View the data in the Discover dashboard.
    Figure 32. Discover dashboard
  • Step 3. Create a common field (runtime field) between the two data streams by applying an API in Dev Tools.
    Figure 33. Dev Tools
    Note: Setting rollover policy on runtime fields can also be done in Dev Tools, as shown in the following examples: 
    POST /topic-indexer-service-spend/_rollover
POST /topic-indexer-product-spend/_rollover
    Note: These changes are not persistent. Reapply is a must after any restart of AN.
  • Step 4. Finally, create a visualization using this common field, for example, Customer. The illustration below shows the Top 5 customers with the highest spending across products and services.
    Figure 34. Visualization

Syslog Messages

The topic_indexer logs are stored in /var/log/analytics/ folder and are accessed using the following commands. 
an> debug bash
admin@an$ cd /var/log/analytics/
admin@an:/var/log/analytics$
admin@an:/var/log/analytics$ ls -ls topic_indexer.log
67832 -rw-rwxr-- 1 remoteuser root 69453632 Apr 27 11:05 topic_indexer.log

Troubleshooting

Below are some of the commonly known issues and their troubleshooting scenarios:
  1. The Save button in the topic_indexer config is disabled.
    When editing the configurations of topic_indexer in the Kibana User interface, default validations appear to ensure the correctness of the values entered in the fields. Specific standards and requirements are associated when filling in the config for topic_indexer as stated in the above section linked: Topic Indexer on Arista Analytics . As illustrated below, it may encounter validation errors when entering an invalid value in the configuration field. Topic Indexer on Arista Analytics
    Figure 35. Validation errors

    In such an event, the edited configuration will not save. Therefore, before saving the configuration, validate the fields and ensure there is no visible validation error in the topic_indexer configuration editor.

  2. The index for the topic_indexer is not created.

    After entering the correct fields in the topic_indexer configuration, the topic_indexer service will start to read the Kafka topic as documented in the configuration and load its data into the ElasticSearch index entered by the index field. The name of the index is prefixed by topic_indexer_.

    There is a wait time of several minutes before the index is created and loaded with the data from the Kafka topic. In the event the index is not created, or there is no index shown with the name topic_indexer_<index_name> value, Arista Networks recommends using the following troubleshooting steps:
    1. Check the configurations entered in the topic_indexer editor once again to see whether the spellings for the topic name, broker address configuration, and index name are correct.
    2. Verify the broker address and the port for the Kafka topic are open on the firewall. Kafka has a concept of listeners and advertised.listeners . Validate if the advertised.listeners are entered correctly into the configuration. Review the following links for more details:
      1. Kafka 3.5 Documentation
      2. Kafka Listeners – Explained | Confluent
    3. If all the above steps are correct, check now for the logs in the Analytics Node for the topic_indexer.
      Steps to reach the topic_indexer.log file in AN node:
      1. Secure remote access into the AN using the command line: ssh <user>@<an-ip>
      2. Enter the password for the designated user.
      3. Enter the command debug bash to enter into debug mode.
      4. Use the sudo user role when entering the AN node: hence the sudo su command.
      5. topic_indexer logs reside in the following path: /var/log/analytics/topic_indexer.log
      6. Since this log file can be more extensive, you should use the tail command.
      7. Validate if the log file shows any visible errors related to the index not being created.
      8. Report any unknown issues.
  3. Data is not indexed as per the configuration.
  4. Data ingestion is paused.

    When experiencing issues 3 or 4 (described above), use the topic_indexer log file to validate the problem.

  5. The index pattern for the topic_indexer is missing.

    In the Kibana UI, it creates a default topic_indexer_* index pattern. If this pattern or a pattern to fetch the dedicated index for a topic is missing, create it using the Kibana UI as described in the following link:

    Create an index pattern | Kibana Guide [7.17] | Elastic

*sFlow® is a registered trademark of Inmon Corp.

Arista Analytics
User Guide
Arista Networks

www.arista.com

Arista Analytics User Guide

DOC-06950-01

 

Headquarters
5453 Great America Parkway
Santa Clara, CA 95054, USA
+1-408 547-5500
www.arista.com
Support
+1-408 547-5502
+1-866 476-0000
This email address is being protected from spambots. You need JavaScript enabled to view it.
Sales
+1-408 547-5501
+1-866 497-0000
This email address is being protected from spambots. You need JavaScript enabled to view it.
© Copyright 2024 Arista Networks, Inc. The information contained herein is subject to change without notice. Arista Networks and the Arista logo are trademarks of Arista Networks, Inc., in the United States and other countries. Other product or service names may be trademarks or service marks of others.