Avatar of cpatte7372
cpatte7372Flag for United Kingdom of Great Britain and Northern Ireland asked on

Flexible Netflow Understanding

Hello Community,

Can someone please let me know how to get a show output to include both 'timestamp first' and 'timestamp last'. As you can see from the show command I can only see 'timestamp first'


 uk01380-Birmingham-1921#show flow monitor FlowMonitor1 cache format record 
  Cache type:                               Normal
  Cache size:                                32768
  Current entries:                              21
  High Watermark:                               99
  Flows added:                               16931
  Flows aged:                                16910
    - Active timeout      ( 86520 secs)          0
    - Inactive timeout    (    15 secs)      16910
    - Event aged                                 0
    - Watermark aged                             0
    - Emergency aged                             0


IPV4 SOURCE ADDRESS:       10.44.113.253
IPV4 DESTINATION ADDRESS:  10.45.69.161
TRNS SOURCE PORT:          0
TRNS DESTINATION PORT:     0
INTERFACE INPUT:           Tu0
IP PROTOCOL:               47
iterface output:          Gi0/1.10
flow direction:            Input
counter bytes:             357012582
counter packets:           852153
timestamp first:           15:12:51.312

I know its possible to get both 'timestamp first' and 'timestamp last', but I just don't know how to get it on our routers.


Cheers

Carlton
Routers

Avatar of undefined
Last Comment
cpatte7372

8/22/2022 - Mon
Ian Meredith

The timestamp time values show if you have configured your monitoring correctly.... once you have fixed the configuration of your monitoring the timestamp first and last values will display when you run your reporting....

taken from this webpage..... http://www.cisco.com/en/US/docs/switches/lan/catalyst3850/software/release/3.2_0_se/flexible_netflow/command_reference/b_fnf_32se_3850_cr_chapter_010.html#wp3519681722



collect timestamp absolute
To configure the absolute time of the first seen or last seen packet in a flow as a non-key field for a flow record, use the collect timestamp absolute command in flow record configuration mode. To disable the use of the first seen or last seen packet in a flow as a non-key field for a flow record, use the no form of this command.

collect timestamp absolute { first | last }

no collect timestamp absolute { first | last }

Syntax Description
first      
Configures the absolute time for the time that the first packet was seen from the flows as a non-key field and enables collecting time stamps based on the absolute time for the time the first packet was seen from the flows.

last      
Configures the absolute time for the time that the last packet was seen from the flows as a non-key field and enables collecting time stamps based on the absolute time for the time that the most recent packet was seen from the flows.

Command Default
The absolute time field is not configured as a non-key field.

Command Modes
Flow record configuration

Command History
Release      Modification
Cisco IOS XE 3.2SE

This command was introduced.

Usage Guidelines
The Flexible NetFlow collect commands are used to configure non-key fields for the flow monitor record and to enable capturing of the values in the fields for the flow created with the record. The values in non-key fields are added to flows to provide additional information about the traffic in the flows. A change in the value of a non-key field does not create a new flow. In most cases, the values for non-key fields are taken from only the first packet in the flow.

Examples
The following example configures time stamps based on the absolute time for the time that the first packet was seen from the flows as a non-key field:

Switch(config)# flow record FLOW-RECORD-1
Switch(config-flow-record)# collect timestamp absolute first

The following example configures the time stamps based on the absolute time for the time that the most recent packet was seen from the flows as a non-key field:

Switch(config)# flow record FLOW-RECORD-1
Switch(config-flow-record)# collect timestamp absolute last
ASKER
cpatte7372

Ian, that's great. Can you please explain what is meant by a non-key field?
ASKER CERTIFIED SOLUTION
Ian Meredith

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
See how we're fighting big data
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
ASKER
cpatte7372

Excellent
Experts Exchange is like having an extremely knowledgeable team sitting and waiting for your call. Couldn't do my job half as well as I do without it!
James Murphy