Nagios Support Forum

We are evaluating the demo VM (nagiosna-2.2.3-64.ova), the source is a Linux server 10.1.2.3 with fprobe installed. Data lifetime is 24 hours, disk usage – 34M.

Why are some queries taking forever to complete? For example:

"dst ip 10.1.2.3" aggregated by dstip,srcip works
"dst ip 10.1.2.3" aggregated by dstport,srcip hangs
"dst ip 10.1.2.3" aggregated by srcip works
"dst ip 10.1.2.3" aggregated by dstport works
"dst ip 10.1.2.3" aggregated by srcip,dstport hangs

The server does not show any CPU utilization, and a chord daigram is quicky shown, but query results are never returned.

Also what is the logic behind chord diagrams in queries? Reports have 4 different diagrams, but queries seem to always show only one.

Sincerely,
Anthony

There are some setting that have to be changed to get the NNA GUI to process large Queries.
Login as root and edit the /etc/php.ini file
Add the following line to the bottom of the file Save it and edit this file Add the following line to the bottom of the file Save the file and restart Apache for the changes to take affect. Depending on how much data is in your source, you may have to increase those numbers.

Try it out and let us know how it works for you.

Thank you for your suggestions, but there is no difference.
Data lifetime is 24 hours, disk usage – 34M. Is it considered a lot of flow data? I have also tried to set max_input_vars to 100000.
It can quickly aggregate on dstport and srcip, but not on both.

Did you increase this option in the /etc/httpd/conf/httpd.conf file to a larger value as well?

Increase that value and do the following too.

Edit the /etc/php.ini file and change the following from to Save the file and restart Apache for the changes to take affect. How many CPU's do you have allocated to the server if it is running in a virtual environment?
If you only have 2 allocated, try adding 2 more.

If the above changes do not work, run the following as root but replace <sourcename> with the actual name of the source you are trying to run the query against. Post the output, it should print out the number of lines the query generated.

Your nfdump command quickly returned 291529
"-A dstport,srcip" quickly returned 170481

I have increased max_input_vars to 300000 in addition to changing other values you have recommended. But the query in GUI still hangs, and the server does not show any CPU utilization, while it is running.

Are these numbers just too big to be used in GUI (too many pages in query output)?

The numbers could be to large to be loaded in the GUI.
It could still take a while to the GUI to render all of the data so let it run for 10 to 20 minutes.

FYI, if you printed the query with the 170 thousand lines, it would be slightly less that 10000 pages.

Can you run this as root and post the output?

[root@nnademo ~]# grep LimitRequestLine /etc/httpd/conf/httpd.conf
LimitRequestLine 100000

Edit this file Change this line from to Save the file and restart apache by running See if the query works after that change.

The query in GUI still hangs. I guess it is probably just too big.

Almost 300 thousand lines is a lot of data to display so the web interface may never display it even with the increased values.