inputs.socketstat: feature request: return field containing number of entries

[jimis]

Currently socketstat plugin returns the following, as copied from docs:

Tags

• state (string) (for tcp, dccp and sctp protocols)
• proto
• local_addr
• local_port
• remote_addr
• remote_port

Fields

• bytes_acked (integer, bytes)
• bytes_received (integer, bytes)
• segs_out (integer, count)
• segs_in (integer, count)
• data_segs_out (integer, count)
• data_segs_in (integer, count)

TODO:

an extra field possibly named count that stores the number of occurences for each tag combination:
(proto, local_addr, local_port, remote_addr, remote_port).

Use Case:

One can use this info during DDoS attacks, to see whether many hits are coming from specific addresses, or if it's fully distributed.

[jimis]

Closing issue, this is not needed after all. Each 5-tuple of (proto, local_addr, local_port, remote_addr, remote_port) will only have 1 entry on the table. The "count" can never be more than one, the combination of "remote_port" and "local_port" must be unique for given address and protocol.

To figure out the connections per remote-ip, one must do aggregate queries like the following on influxDB:

SELECT count(state) FROM "socketstat" 
    WHERE host = 'hostname'
        AND time = '2025-11-04 02:22:40' 
        AND local_port='443' AND proto = 'tcp'
    GROUP BY remote_addr

This will return one row for each remote_addr, with its count of connections on the sockstat table.