Metrics & Dimensions

Metrics and dimensions are collected or derived from network data (flow, SNMP, BGP, etc.), stored in the Kentik Data Engine (KDE), and used in the portal (and Kentik APIs) as group-by and filtering parameters in Kentik queries. Metrics and dimensions are discussed in the following topics:

 

About Metrics

A metric is a combination of a unit (e.g. a bit) with a method of calculation (e.g. average per second) to create a quantifiable measurement (average bits/second). In Kentik, metrics represent measurements made on flows, which are used for counts, rankings (e.g. in a top-X list), and thresholds (e.g. in alerting).

Notes:
- For metrics that aren't transmitted via a flow protocol, see Non-flow Metrics.
- For metrics that are device-specific, see Device-specific Metrics.
- Some metrics that are stored as part of the flow records in KDE may be used as dimensions (see Per-flow Metrics.
- In addition to being used for query settings in the Kentik portal, metrics and dimensions are also used for the Query API.

 

Metrics in the Portal

The following table shows the main places in the Kentik portal where metrics are specified and used:

Portal location Primary Metric Secondary Metric
Library » Dashboards: Add View Panel or Edit View Panel dialog Query tab » Metrics pane, either:
Metrics dropdown;
Customize Metrics button » Metrics dialog (see Metrics Pane).
Query tab » Metrics pane » Customize Metrics » Metrics dialog.
Data Explorer: Query sidebar, Metrics pane. Query sidebar » Metrics pane (see Metrics Pane), either:
Metric drop-down;
Customize Metrics button » Metrics dialog.
Query sidebar » Metrics pane » Customize Metrics » Metrics dialog.
Alerting » Policies: Add Policy or Edit Policy dialog Dataset tab » Data Funneling pane » Primary Metric drop-down. Dataset tab » Data Funneling pane » Secondary Metric field.

 

Metrics Reference

The KB’s Metrics Reference documents the metrics available for Kentik queries. In general, metrics are available in queries involving traffic from all types of devices (routers, hosts, etc.; see Supported Device Types), though some metrics apply only to traffic from host agents such as kprobe (see About kprobe).

Metric Categories

Metrics, which each represent an actual or derived column in the tables of the KDE (see KDE Tables) fall into the following functional categories:

Category Description Agent
Metrics from All Devices Metrics available from both routers and hosts (see Supported Device Types). None or kprobe
Host Traffic Metrics Metrics available only from hosts (see About kprobe). kprobe
Application Decodes Metrics Metrics from kprobe application decodes, e.g. DNS lookup and HTTP (see About Application Decodes). kprobe
SNMP Metrics Metrics from SNMP polling (see SNMP OID Polling). None or kproxy
Streaming Telemetry Metrics Metrics from Streaming Telemetry (see Streaming Telemetry Device Support). None or kproxy
Device-specific Metrics Metrics that are generated and stored in KDE only for certain types of devices (physical or virtual). None or kproxy

Notes:
- Use the links in the Category column above to see lists of the specific metrics in each of the above categories.
- For more detailed information about metrics requiring a host agent, see Host Traffic Metrics.

 

About Dimensions

Dimensions in Kentik represent specific data about flow (see Flow Overview). This data is either taken directly from flow records (e.g. NetFlow, sFlow), incorporated from correlated sources (e.g. GeoIP or threat feeds), or derived by Kentik from some combination of the two. Each dimension represents an actual or derived column in the tables of the KDE (see KDE Tables).

 

Dimensions in the Portal

Dimensions are primarily used in the following contexts in the Kentik portal and the Query API:

  • Group-by dimensions: Selected via the Dimension Selectors in a Dimensions pane (e.g. in the Query sidebar in Data Explorer).
  • Filters: Selected in the Filtering Options Dialog in a Filtering pane (e.g. in the Query sidebar in Data Explorer).

Dimension Locations

The following table shows more specifically the various locations in the Kentik portal where dimensions are specified and used:

Portal section Group-by Filters
Dashboards Add View Panel or Edit View Panel dialog » Query tab » Dimensions pane.
- See Panel Dialogs.
Query sidebar » Filtering pane » Filtering Options dialog (via Edit Filters button) » Add Ad-Hoc Filter.
- See Filter Groups Interface.
Data Explorer Query sidebar » Dimensions pane » Group-by Dimensions dialog.
- See Dimension Selectors.
Query sidebar » Filtering pane » Filtering Options dialog (via Edit Filters button) » Add Ad-Hoc Filter.
- See Filter Groups Interface.
Alerting » Policies Add Policy or Edit Policy dialog » Dataset tab » Data Funneling pane » Dimensions. Add Policy or Edit Policy dialog » Dataset tab » Data Funneling pane » Filters.
Admin » User N.A. Add User or Edit User dialog » User Specific Filters pane.
- See User Settings Dialogs.
Admin » Saved Filters N.A. Add Saved Filter or Edit Saved Filter dialog » Ad-Hoc Filter Groups pane.
- See Saved Filter Admin Dialogs.

 

Dimensions Reference

The KB’s Dimensions Reference documents the dimensions available for group-by and filtering in Kentik queries. In general, dimensions are available in queries involving traffic from all types of devices (routers, hosts, etc.; see Supported Device Types), though some dimensions apply only to traffic from host agents such as kprobe (see About kprobe).

Dimension Categories

Dimensions, which each represent an actual or derived column in the tables of the KDE (see KDE Tables) fall into the following functional categories:

Category Description Requires host agent (kprobe)
Network and Traffic Topology Used to filter or group-by on information related to devices including interface names and descriptions, port IDs, etc. No
IP and BGP Routing Used to filter or group-by on IP addresses (Ipv4 or Ipv6), protocol (e.g. TCP or UDP), TCP flags, and ToS, as well as routing information including source and destination AS, AS path, AS names, community, prefixes, and hops. Also includes per-flow metrics. No
Cloud Dimensions Used to filter or group-by on fields in VPC flow logs from cloud providers. No
Geolocation Dimensions Used to filter or group-by on flow properties related to physical location (e.g. country codes, city names, etc.). No
Application Context and Security Used to filter or group-by based on various factors related to context — whether a flow originated or terminated with a commercial CDN, for example, or what "service" (port and protocol) it represents — as well as whether the value of certain flow fields match those of known security threats. No
Application Decodes Data related to DNS lookup and HTTP, including domain name, referrer, status, etc.). Yes
Container Networking Dimensions Dimensions related to containers; currently Kubernetes.
Note: Use of Kubernetes with Kentik requires a special software agent; contact Customer Success for further information.
 
Device Metrics Dimensions Dimensions enabling you to do filtering or top-X evaluations based on metrics from devices (e.g. SNMP, Streaming Telemetry).  
MPLS Dimensions Dimensions related to Multiprotocol Label Switching.  
Device-specific Dimensions Used to filter or group-by on fields in flow records from specific types of devices such as Palo Alto Networks firewalls or Cisco ASA. No

Notes:
- Use the links in the Category column above to see lists of the specific dimensions in each of the above categories.
- For more detailed information about dimensions requiring a host agent, see Host Traffic Dimensions.

 

Host Traffic Dimensions

While most dimensions are available (for both group-by and filters) on traffic from all devices, the following dimensions are available only for traffic from kprobe, Kentik's software host agent (see About kprobe):

  • DNS Query: A query from a DNS resolver to a DNS name server that translates a user-friendly domain name (e.g. www.domain_name.com) to a numeric IP address, either 32-bit IPv4 (93.184.216.119) or 128-bit IPv6 (2606:2800:220:6d:26bf:1447:1097:aa7).
  • DNS Query Type: The resource record type requested by the DNS query. For a list of record types, see https://en.wikipedia.org/wiki/List_of_DNS_record_types.
  • DNS Response: The response from a DNS server to a DNS query. DNS responses are comprised of resource records (RRs). kprobe collects information from the following RRs:
    - A: IPv4 address for given host.
    - AAAA: IPv6 address for given host.
    - CNAME: A domain name that must be queried to resolve the original DNS query.
    - PTR: Used to look up a domain name based on an IP address.
    - MX: A mail exchange server for a DNS domain name.
    - NS: An authoritative name server for given host.
    - TXT: A non-formatted text string typically used by Sender Policy Framework (SPF) to prevent the sending of emails using a fake identity.
  • DNS Return Code: Status code returned from a DNS query (see https://www.iana.org/assignments/dns-parameters/dns-parameters.xhtml#dns-parameters-6).
  • HTTP Host Header: A mandatory HTTP header field that identifies the domain name of the server.
  • HTTP Referrer: A non-mandatory HTTP header field that identifies the address from which a destination webpage is requested. Logging referrers allows websites to keep track of how users arrive at a page.
  • HTTP Return Code: Status codes defined in the following document: https://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html
  • HTTP User Agent: A non-mandatory HTTP header field that identifies the client that submitted a request. User agent information, such as operating system and browser software, helps websites determine how content will be displayed.
  • HTTP URL: The filename portion of a path to a web resource, with query string (if any).

Note: Kentik supports the matching of substrings in the values of certain host-sourced group-by dimensions (see DNS/WWW Extract Function).

© 2014- Kentik
In this article:
×