This is correct, With a flow database you want to be able to say: “show me all HTTP traffic from subnet a.b.c.0/24” which requires you to either keep individual IPs or aggregate subnets. Combined with port and protocol data for both source and destination, the series count shoots way above 10M.
- Tim > On 2 Jan 2019, at 20:20, Saku Ytti <s...@ytti.fi> wrote: > > Hey Tim, > >> I would advise against InfluxDB in this case - flow data has a very high >> (and open) tag cardinality which is not suited to Influx (although their >> recently new index format has improved this). > > I'm not entirely sure I understand. Does this mean the permutations of > tags are high, i.e. series count is high? If so, isn't this general > problem and advice against all TSDBs? If so, I fully agree, you > couldn't/shouldn't make for example IP addresses your tags, > potentially creating 2**32*2 series without any other tags, it's > rather non-sensical proposal in TSDB. > > Influx themselves comment that >10M series is likely infeasible. So > you need unique tag combinations to be low millions at most. > -- > ++ytti