@@ -10,13 +10,16 @@ Each flow record is converted individually and send to outputs where at least on
1010method must be configured. All fields in an IPFIX record are formatted as: <field name>:<value>,
1111where the *field name * represents a name of a corresponding Information Element as
1212"<Enterprise Name>:<Information Element Name>" and *value * is a number, string,
13- boolean or null (if conversion from IPFIX to JSON fails). The enterprise name is a name of an
13+ boolean or null (if conversion from IPFIX to JSON fails). The Enterprise Name is a name of an
1414organization that manages the field, such as IANA, CISCO, etc.
1515
1616If the field name and type is unknown and "ignoreUnknown" option is disabled, the field name
1717use format 'enXX:idYY' where XX is an Enterprise Number and YY is an Information Element ID.
1818See notes for instructions on how to add missing definitions of Information Elements.
1919
20+ Structured data types (basicList, subTemplateList and subTemplateMultiList) are supported. See
21+ the particular section below for information about their formatting.
22+
2023Example output
2124--------------
2225
@@ -65,6 +68,8 @@ Don't forget to remove (or comment) outputs that you don't want to use!
6568 <ignoreUnknown >true</ignoreUnknown >
6669 <ignoreOptions >true</ignoreOptions >
6770 <nonPrintableChar >true</nonPrintableChar >
71+ <numericNames >false</numericNames >
72+ <splitBiflow >false</splitBiflow >
6873
6974 <outputs >
7075 <server >
@@ -127,6 +132,16 @@ Formatting parameters:
127132 Ignore non-printable characters (newline, tab, control characters, etc.) in IPFIX strings.
128133 If disabled, these characters are escaped on output. [values: true/false, default: true]
129134
135+ :``numericNames ``:
136+ Use only short identification of Information Elements (i.e. "enXX:idYY"). If enabled, the
137+ short version is used even if the definition of the field is known. This option can help to
138+ create a shorter JSON records with key identifiers which are independent on the internal
139+ configuration. [values: true/false, default: false]
140+
141+ :``splitBiflow ``:
142+ In case of Biflow records, split the record to two unidirectional flow records. Non-biflow
143+ records are unaffected. [values: true/false, default: false]
144+
130145----
131146
132147Output types: At least one of the following output must be configured. Multiple server/send/file
@@ -189,7 +204,75 @@ If one or more Information Element definitions are missing, you can easily add t
189204All definitions are provided by `libfds <https://github.com/CESNET/libfds/ >`_ library.
190205See the project website for help.
191206
207+ If a flow record contains multiple occurrences of the same Information Element,
208+ their values are stored into a single name/value pair as JSON array. Order of the values
209+ in the array corresponds to their order in the flow record.
210+
192211For higher performance, it is advisable to use non-formatted conversion of IPFIX data types.
193- If performance matters, you should prefer, for example, timestamps as numbers over ISO 8601 strings.
212+ In that case, you should prefer, for example, timestamps as numbers over ISO 8601 strings
213+ and numeric identifiers of fields as they are usually shorted.
214+
215+ Structured data types
216+ ---------------------
217+
218+ Flow records can be extended with structured data types (as described in RFC6313).
219+ Each of these types are formatted as JSON objects with "@type" field which helps to distinguish
220+ its formatting. Moreover, as the standard describes, the semantic of the list is also included.
221+
222+ Converted *basicList * contains "fieldID" with the Information Element identifier of zero or more
223+ Information Element(s) contained in the list. All values are stored as a JSON array in "data" field.
224+
225+ .. code-block :: json
226+
227+ {
228+ "example:blField" : {
229+ "@type" : " basicList"
230+ "semantic" : " anyOf"
231+ "fieldID" : " iana:octetDeltaCount"
232+ "data" : [23 , 34 , 23 ]
233+ }
234+ }
235+
236+ subTemplateList * contains only additional "data" field with array of zero or more
237+ JSON objects. As all nested JSON object are described by the same IPFIX Template, it's guaranteed
238+ the their structure is also the same. The "semantic" field indicates the relationship among the
239+ different JSON objects.
240+
241+ .. code-block :: json
242+
243+ {
244+ "example:stlField" : {
245+ "@type" : " subTemplateList"
246+ "semantic" : " allOf"
247+ "data" : [
248+ {"keyA.1" : " value1" "keyA.2" : " value2"
249+ {"keyB.1" : " value1" "keyB.2" : " value2"
250+ ]
251+ }
252+ }
253+
254+ subTemplateMultiList * is similar to the previous type, however, sub-records can be
255+ even more nested. The "data" field contains a JSON array with zero or more nested JSON arrays.
256+ Each nested array contains zero or more JSON objects and it's guaranteed that JSON objects in
257+ the same array have the same structure. The "semantic" field indicates top-level relationship
258+ among the nested arrays.
259+
260+ .. code-block :: json
261+
262+ {
263+ "example:stmlField" : {
264+ "@type" : " subTemplateMultiList"
265+ "semantic" : " allOf"
266+ "data" : [
267+ [
268+ {"keyA.1" : " value1" "keyA.2" : " value2"
269+ {"keyB.1" : " value1" "keyB.2" : " value2"
270+ ],
271+ [
272+ {"idA.1" : " something" "idB.1" : 123 }
273+ ]
274+ ]
275+ }
276+ }
194277
195- Structured data types (basicList, subTemplateList, etc.) are not supported yet .
278+ Keep on mind that all structures can be nested in each other .
0 commit comments