[Bro-Dev] metrics framework

Seth Hall seth at icir.org
Mon May 23 00:09:10 PDT 2011


On May 18, 2011, at 5:04 AM, Vern Paxson wrote:

> What about a notion of "reduce", similar to the reduce operation in
> map-reduce?  It seems for a lot of metrics/statistics/time-series there
> will be a natural way of combining parallelized computation of a given
> sort over the sequence of values.


I'm not completely sure that would apply because the only reduce operation that I'm currently envisioning is straight addition.  It's basically taking the following example structure from all of the workers (with different counts on each worker obviously) and adding the values together on some break interval.

{ 
	[1.2.3.0/24] = { ["GET"] = 20, ["POST"] = 1 },
	[4.3.2.0/24] = { ["GET"] = 5304, ["POST"] = 45 },
	.... and on, and on, and on....
}

That would be an example of HTTP verbs used per /24 in requests.  Each worker would have it's own table and on the break interval for the metric it would add together all of the values on the manager.

It's certainly possible that I'm just plain missing your point too. :)

  .Seth

--
Seth Hall
International Computer Science Institute
(Bro) because everyone has a network
http://www.bro-ids.org/




More information about the bro-dev mailing list