netflow.rev and netflow.fwd

[dfdalamar]

I am using the latest version of logstash and netflow codec. For some reason I am not getting flow.bytes translated correctly or geoip. I am getting rev and fwd delta but not bytes. Any ideas?

[jorritfolmer]

This is not something the codec does. The codec only shows what's in a Netflow packet. Some Netflow exporters use in_bytes or out_bytes to denote bytes sent to client or received from server.
Some vendors use newer IPFIX fields like initiatorOctets or resonderOctets to do the same.
It's up to you (or elastiflow) to map this to some sort of Common Information Model, and perform the necessary additions to calculate bytes = in_bytes + out_bytes.