Hi all,
I was asked to build a report which retrieves the top X conversations (sum of total bytes per SourceIP-DestinationIP pairs) from the top Y utilised sites (aka NetFlow sources). This is a classic SQL problem which can be solved in a few different ways (Joins, Subqueries, ranking functions, etc)
This can be very challenging to solve in SWQL as there are no ranking functions and aggregate functions seem to fail for NetFlow entities:
Simple query (for simplicity) that fails with HAVING clause:
SELECT NodeID, SourceIP, DestinationIP, SUM(TotalBytes) AS SumA
FROM Orion.Netflow.Flows
WHERE TimeStamp>GetDate()-2
AND TimeStamp<GetDate()-1
GROUP BY NodeID, SourceIP, DestinationIP
HAVING SUM(TotalBytes)>1000000
The SWQL query above seems to ignore the HAVING clause, where in other entities like Orion.Nodes seems to work.
And again, trying with a subquery gives a nice warning message:
Does anyone have any experience on this kind of NetFlow Reports/advanced SWQL queries?
SolarWinds support has no documentation on supported Methods at the moment
Regards,
Antonis