Edit

Share via

Queries for the ATCExpressRouteCircuitIpfix table

  • Article

For information on using these queries in the Azure portal, see Log Analytics tutorial. For the REST API, see Query.

Get Top Talkers

List 10 Top Talkers during a defined time period.

query 
let startTime = ago(2h);
let endTime = ago(1h);
let num_toptalkers = 10; // Amount of top talker 5Tuples. Change this value to display a different number of items
let tuple = "5";  
let ipfixData = ATCExpressRouteCircuitIpfix
| where FlowRecordTime >= startTime and FlowRecordTime <= endTime
| extend 3tuple = strcat("SrcIP:", SourceIp, " DestIP:", DestinationIp, " Protocol:", Protocol),
    5tuple = strcat("SrcIP:", SourceIp, " SourcePort:", SourcePort, " DestIP:", DestinationIp, " DestPort:", DestinationPort, " Protocol:", Protocol),
    TotalBytes = (NumberOfBytes + (14 * NumberOfPackets)) * 4096 // Calculation to determine amount of circuit bandwidth used. This adds the number of payload bytes to the number of header bytes, then multiplies by 4096, the sampling rate used by ERTC
| summarize hint.strategy=shuffle arg_max(FlowRecordTime, *) by 5tuple, TotalBytes, 3tuple, Flowsequence
| extend tuple = iff(tuple == "3", 3tuple, 5tuple);
let topTalkersBy3Tuple = ipfixData
| summarize sum(TotalBytes) by tuple
| order by sum_TotalBytes desc
| take num_toptalkers; // 10 top talkers
topTalkersBy3Tuple
| join kind=inner (
    ipfixData  
    | summarize sum(TotalBytes) by bin(FlowRecordTime, 5m), tuple
) on $left.tuple == $right.tuple
| extend TotalBytes = sum_TotalBytes1
| project-away sum_TotalBytes, sum_TotalBytes1, tuple1
| render columnchart with(kind=unstacked)

Get Top Talkers by Source and Destination Port

List 10 Top Talkers based on source and destination port during a defined time period.

query 
let startTime = ago(2h);
let endTime = ago(1h);
let num_toptalkers = 10;
let portType = "Source"; // Change to "Dest" for destination port based query
let data = ATCExpressRouteCircuitIpfix
| where FlowRecordTime >= startTime and FlowRecordTime <= endTime
| extend 5tuple = strcat("SrcIP:", SourceIp, " SourcePort:", SourcePort, " DestIP:", DestinationIp, " DestPort:", DestinationPort, " Protocol:", Protocol),
    TotalBytes = (NumberOfBytes + (14 * NumberOfPackets)) * 4096 // Calculation to determine amount of circuit bandwidth used. This adds the number of payload bytes to the number of header bytes, then multiplies by 4096, the sampling rate used by ERTC 
| summarize hint.strategy=shuffle arg_max(FlowRecordTime, *) by 5tuple, TotalBytes, SourcePort, DestinationPort, Flowsequence
| extend port = iff(portType == "Source", SourcePort, DestinationPort);
let topTalkers = data
| summarize sum(TotalBytes) by port // Find top talkers port
| order by sum_TotalBytes desc
| take num_toptalkers; // 10 top talkers
topTalkers
| join kind=inner (
    data
    | summarize sum(TotalBytes) by bin(FlowRecordTime, 5m), port
) on $left.port == $right.port
| extend TotalBytes = sum_TotalBytes1, Port = strcat("Port:", port1)
| project-away sum_TotalBytes, sum_TotalBytes1, port, port1 
| render columnchart with(kind=unstacked)

Get Total Bandwidth Usage

Get a report of the total bandwidth used during a specified time range.

query 
let startTime = ago(2h); 
let endTime = ago(1h);
ATCExpressRouteCircuitIpfix 
| where FlowRecordTime >= startTime and FlowRecordTime <= endTime 
| extend 5tuple = strcat("SrcIP:", SourceIp, " SourcePort:", SourcePort, " DestIP:", DestinationIp, " DestPort:", DestinationPort, " Protocol:", Protocol), 
    TotalBytes = (NumberOfBytes + (14 * NumberOfPackets)) * 4096  
| summarize hint.strategy=shuffle arg_max(FlowRecordTime, *) by 5tuple, TotalBytes, Flowsequence 
| summarize sum(TotalBytes) by bin(FlowRecordTime, 1m) 
| extend TotalGB = toint(sum_TotalBytes / 1024 / 1024 / 1024) // Converting bytes to gigabytes 
| project-away sum_TotalBytes 
| render columnchart