ragator

[Andrew Pollock]

Carter,

My understanding of ragator when used without a flowfile is that it'll 
just aggregate multiple records for the same flow into one, where it can.

Is this correct?

I was looking at a month's worth of logs for a client today, and with 
racount, it said:

racount    records       total_pkts         src_pkts         dst_pkts      
total_bytes        src_bytes        dst_bytes
    sum    4339943        430446602        284435604        146010998     
118126342743      53028657986      65097684757

When I ran it through ragator first, I got:

racount    records       total_pkts         src_pkts         dst_pkts      
total_bytes        src_bytes        dst_bytes
    sum    3959765        430446602        284418909        146027693     
118126342743      53003592942      65122749801

(Sorry for the formatting).

The aggregated record count was lower, which is what I expected, however 
the packet and byte counts no longer matched, which I didn't expect.

The total packets and total bytes still match, but not the src and dst 
counts.

What gives?

Andrew