How Metrics Work
There are two components to metric data in most IT and Security tools:
metrics- a numeric value, usually an aggregation: count(), sum(), avg(), etc.dimensions- these are effectively identifiers that "cut" the data in different ways. For example, a metric, say,bytes.sentis a sum() of a field calledbytes, and has two dimensions:source, anddestination. You will effectively have a metric that sums thebytesfield, but that creates a record for each of thesourceanddestinationvalues encountered.
For example, given this source log data:
bytes=30 source=10.23.11.2 destination=10.22.22.1
bytes=304 source=10.23.11.2 destination=10.2.2.2
bytes=2322 source=10.1.1.11 destination=10.22.22.1
bytes=3330 source=10.23.11.2 destination=10.22.22.1
bytes=104 source=10.23.11.2 destination=10.2.2.2
bytes=2622 source=10.1.1.11 destination=10.22.22.1
bytes=60 source=10.23.11.2 destination=10.22.22.1
bytes=604 source=10.23.11.2 destination=10.2.2.2
bytes=322 source=10.1.1.11 destination=10.22.22.1
You'd actually end up with three aggregated events:
bytes.sent=3420 source=10.23.11.2 destination=10.22.22.1
bytes.sent=5266 source=10.1.1.11 destination=10.22.22.1
bytes.sent=1012 source=10.23.11.2 destination=10.2.2.2
Because there are three unique combinations of source and destination field contents.
You can visualize the data based on these dimensions once the data is in the target analytics system. As a result, you can see the byte count between, say, 10.23.11.2 and 10.22.22.1, or all traffic to and from 10.23.11.2. Viewing all traffic will show values for source=10.23.11.2 and destination of either 10.22.22.1 or 10.2.2.2.