It started with parsing sysflows from firewalls using the UDP_Payloud trigger to put these logs in custom metrics (and records).
We then use these metrcis to display in dashboard to have full visibility: running wire traffic + traffic that is blocked. At the moment this works nice for overall view dashboards and monitoring dashboards of servers (or applications) with fixed IP.
The flow devices in these triggers are now always the sender and the receiver of the sysflow but it woul be nice if we could assign the mertric directly to the corresponding device (in L2 discovery) corresponding with the source or target in the log.
This is intresting for blocked IP’s from devices who’s Ip’s are chaning all the time because of the DHCP. If we can assign the “block” metrics to the L2 device the metrics stays with that device even when it gets a new ip from dhcp.