Wednesday, September 28, 2011

Going with the (net)Flow

If you are using SolarWinds' NetFlow Analyzer modle (NTA) then you might have run into the confusion about all the different settings.

Most people keep them at the default but if you are experiencing performance hits, you will want to see where a tweak here or there might be beneficial.

The problem is (and no disrespect meant to the hard working tech writers at Solarwinds), the options don't make a whole lot of sense at first blush.

What appears below are my notes after about 20 (no exaggeration) email exchanges with tech support to nail down what each of the options means. It also includes what SolarWinds is doing behind the scenes with your data.

To see these options, log in to the regular website as an administrator go to settings (upper-right corner), then "NTA Settings".

“Compress Data” is talking about rolling up the data - averaging the detailed statistics to the hourly.  So the options that apply to this are:

(“Keep Uncompressed Data for...”) 
How long should NPM keep the minute-by-minute data from each data source  (default is one hour). During this time a new table is created for each netflow source every 15 minutes. If set to 60 minutes, you get 4 tables per netflow source. If you had 1,000 netflow sources, that would be 4,000 tables

This can be bumped up to 240 minutes, but doing so will create more tables
  • Once the time limit (again, 60 min is the default) is reached all those detailed values in all those tables are calculated into a 15 minute average. This becomes the database table NetflowSummary1.
  •  Every 24 hours (this is NOT tunable), the 15-minute data is compressed (averaged) into hourly data. This becomes the table NetflowSummary2
  •  After 3 days (again, not tunable), the hourly data is compressed into a daily average, which is moved to the table NetflowSummary3
“Keep Compressed data for”
The daily averages are held for 30 days (this can be held longer), after which they are deleted.

“Delete expired flow data”
The expired data (ie: older than 30 days or whatever you set) is deleted however often you indicate in this setting. "Once a day" is the default

“Compress database and log files”
is a shrink operation. As in, it tells the MS-SQL server to shrink tables. Nothing more exciting than that.

“Enable aggregation of Top Talker data” 
This uses Memory on the primary poller to store a certain amount of Netflow statistics. The web server (either locally, or via port 17777 if you have an additional web server) pulls the statistics from RAM rather than a distinct query to the DB server. This improves the overall load times of the NTA webpages (especially top talker, top conversations, top applications) and has the secondary effect of reducing load on the database server. Of course, any of that is only true if you have a lot of people hitting the NTA pages all the time.

No comments: