Security Analytics not showing flows when looking at last 15 minutes of traffic
search cancel

Security Analytics not showing flows when looking at last 15 minutes of traffic


Article ID: 272533


Updated On:


Security Analytics


With an IPv4 filter in place, when a time range such as "Last 15 Min" or "Last 60 Min" or "Last Day" is selected, there are no results in the reports.

When the timespan is changed to "Last Week" the data is found but it takes a very long time to see the results. It takes even longer to download the filtered data. Surprisingly the data has the flows from the Last 15 min.

It appears that the traffic containing the IP address "" is being shown as one big continuous, long-running flow. You will not be able to see the flows for the Last 15 or 60 min or Last Day.

When you change the filter to contain any User LAN IP like, you can see the flows for the "Last 15 Min" or Last 60 Min.







The VRRP traffic is what may be called a "long running flow".  It does not stop for long periods of time.  The 15 minute reports will show any flows that began in the last 15 minutes.  If the flow started before the selected timespan, there will be nothing in the reports.

This is working as designed.  The alternative for the application is to periodically break up the flows at intervals.  The disadvantage to breaking up the flows is that they become multiple, unrelated flows, which is not desireable. 

This explains why if you run the search over a much longer timespan, it appears.  This is because the VRRP flow started somewhere in that extended period of time.  The report will find the start of the flow.


It is not possible to determine what type of flow is happening if the start of the flow is not found in the timespan selected.  The initial part of a flow and the negotiation it contains, is what allows the algorithms to assign a flow type.

Please contact support if you have further questions.