Hanging queries

[SteveBeauchemin]

I have seen this too. The nfdump command is finished, and has passed the data to an httpd process for display. The httpd process will be absorbing the data a very long time before it can try to display it. Then it will probably run out of some resource. And you never really wanted that data anyway.

I think what really needs to be done is use the nfdump syntax to reduce the number of returned items. for example, what do you really want to know? Lets talk port 80. Maybe you want to know who is the biggest traffic user on port 80. From a command line try this.
Notice that I used -n 20 to only get the top 20 from the list, and -s to get source IP showing the byte count. I also used a shorter time frame.

Code: Select all

/usr/local/bin/nfdump -M '/usr/local/nagiosna/var/crmonrah03/flows/' -R . -t '2017/07/05.07:00:00-2017/07/05.12:59:59' -N -n '20' -o 'csv' -s 'srcip/bytes' 'src port 80'

If you like it, then make a Report. On the Report tab,

port-80-12-hours-ago.PNG

Make something like this. Then, when you want to see the data, run it.

Is that where you wanted to go? Basically, you need to reduce the output. Limit it by time frame versus using the totality of your collected data, by how many results make sense, and by what you want to know.

I expect that a new version will deal with other performance related issues. I hope. I'm a user of the tool, we paid for it, I like it, but sometimes I want to punch it.

Thanks

Steve B

[tgriep]

Thanks @SteveBeauchemin for the help.
@aparfenov, if you still have any questions, let us know.