Assuming the connection tracking is configured to output these record types:
newConnection
updateConnection
endConnection
It means that for each connection, we'll have at least 2 records (newConnection and endConnection).
One option to resolve this, is to remove newConnection from the output record type list.
The problem with that is that we don't have an easy way to follow new connections. I mean, for long connections, the first record will be updateConnection. While for short connections, the first and only record will be endConnection.
Looking only at endConnection records isn't great because if the cluster has many long connections that haven't ended yet, we won't count them.
A possible solution for this new problem could be adding a new boolean field to the connection record: _IsFirst. The field indicates whether the connection record (either updateConnection or endConnection) is the first report of the connection or not.
KalmanMeth
commented
1 year ago
Assuming the connection tracking is configured to output these record types:
newConnectionupdateConnectionendConnectionIt means that for each connection, we'll have at least 2 records (
newConnectionandendConnection). One option to resolve this, is to removenewConnectionfrom the output record type list. The problem with that is that we don't have an easy way to follow new connections. I mean, for long connections, the first record will beupdateConnection. While for short connections, the first and only record will beendConnection. Looking only atendConnectionrecords isn't great because if the cluster has many long connections that haven't ended yet, we won't count them.A possible solution for this new problem could be adding a new boolean field to the connection record:
_IsFirst. The field indicates whether the connection record (eitherupdateConnectionorendConnection) is the first report of the connection or not.This issue follows this comment: https://github.com/netobserv/flowlogs-pipeline/pull/287#issuecomment-1238985305
cc @jotak @eranra