Data resolution
Data resolution is the period of time represented by each data point that is collected for the report. For example, if you run a report for the last day with the data resolution set to 15 minutes, then the report will be built from records aggregated over 15-minute intervals.
Typically, operators run a low-resolution report to locate an incident of interest. Then they narrow the time frame of the report to just the time of the incident and run a high resolution report using 1-minute 5-minute or 15-minute data resolution. Setting the data resolution to "Flow records" provides the highest resolution. It reports all the flow data that is collected, but it requires more time.
Using a low data resolution allows you to run a report faster than using a high data resolution. Using a high data resolution allows you to view more statistics about connections that occur less frequently, but it takes longer to run.
The data resolution should always be set for a shorter interval than the total time frame of the report. The time frame is automatically expanded to begin and end on the nearest data points outside of the original time frame. For example, if you were to specify a report time frame of 12:05 to 4:35 and a data resolution of 15 minutes, the time frame of the report would automatically be expanded to cover the period from 12:00 to 4:45.
Expanding the report time frame to actual data points instead of using interpolated or extrapolated data points preserves accuracy. However, if you specify a time frame relative to the current time (that is, ending at the current time instead of covering some absolute time interval in the past), then the time frame is adjusted to the closest data resolution interval for which data is available. It is not expanded beyond the current time.
Automatic data resolution
When you set the "Data resolution" box in the Report Criteria section to automatic, NetProfiler sets the data resolution interval based on the time frame of the report. The report time frame for which each data resolution can be used is defined on the Administration > Flow Log page Reporting tab. more
The Minimum Time Frame column of the table specifies the shortest time frame for which a report can use the resolution. The resolution is available for time frames up to the minimum time frame for the next resolution level. For example, assume that the minimum time frame for:
-
5-minute resolution is set to 20 minutes.
-
15-minute resolution is set to 2 hours.
-
1-hour resolution is set to 8 hours.
-
6-hour resolution is set to 2 days.
This means that:
-
Reports with time frames of less than 20 minutes will use 1-minute resolution.
-
Reports with time frames from 20 minutes to 1 hour and 59 minutes will use 5-minute resolution.
-
Reports with time frames from 2 hours to 7 hours and 59 minutes will use 15-minute resolution.
-
Reports with time frames from 8 hours to 1 day, 23 hours and 59 minutes will use 1-hour resolution.
Note that resolutions for which NetProfiler has not yet processed enough data are not listed. When the data that is available is insufficient to represent traffic with the resolutions specified on the Administration > Flow Log page Reporting tab, NetProfiler uses the best resolution available.
Impact on traffic reporting
The amount of traffic being reported may differ slightly with different data resolutions. "Flow" data resolution reports all connections. For example, assume the following connections were recorded:
Host A --> Host B
Host A --> Host C
Host C --> Host A
Using "Flow" resolution, reporting will yield all data for all three hosts; A, B and C. However, 5-minute and lower resolutions track only the most talkative hosts and host-pairs. If Hosts A and C were top talkers, but Host B was not very talkative, then Host B might be pruned to conserve space and to allow queries to run faster. In that case, running the same report using data with 5-minute resolution would yield correct data about Hosts A and C, but Host B may be under-represented or even not present at all in the output. Use Flow resolution reports to get full detail, including hosts that have only very low traffic levels.