[Bro] select element of set of records

Reinhard Gentz rgentz at asu.edu
Tue Nov 15 13:46:01 PST 2016 

The reason is that the creation of the set elements and sending them out
might not happen at the same time and i do not know how how many elements I
will have.
The overall idea is that i make one element in the set for each ip address
observed, that will have each the corresponding subelements a,b,c saved.
If a critical condition occurs then send the record of that single ip (with
the corresponding elements a,b,c) out to python for handling.


Second from that I thought i can access the elements the following way but
it does not work as expected, tell me what i am doing wrong:
myrecord2[mytest($b="1")]$a   #from myrecord2 take the set element record
where b is "1" and from that return the content of a.



On Tue, Nov 15, 2016 at 2:33 PM, Azoff, Justin S <jazoff at illinois.edu>
wrote:

>
> > On Nov 15, 2016, at 3:43 PM, Reinhard Gentz <rgentz at asu.edu> wrote:
> >
> > Hi
> >
> > I want to send one element of a set of records to a remote event via
> broker to python. But i can only set the complete set of records
> >
> > The code below works, but i receive all elements of the set of records,
> not just the one i want to select. When I execute the code below on the
> other side i receive  {(whatever, 1), (whatever, 2)} but i only want to
> receive {(whatever, 1)}. I know i can filter out the unnecessary data in
> python, but it seems wasteful of the bandwidth and computation needed.
> >
> > type mytest: record{
> >         a: string &default = "whatever";
> >         b: string &default= "inhere";
> > };
> > type myrecordset: set[mytest];
> > local myrecord2 = myrecordset([$b="1"],[$b="2"]);
> >
> > global my_event3: event(msg: myrecordset);
> >
> > Broker::send_event("bro/events/my_event", Broker::event_args(my_event3,
> myrecord2[mytest($b="1")]));
>
> I don't really follow.. why aren't you just doing
>
> global my_event3: event(msg: mytest);
> Broker::send_event("bro/events/my_event", Broker::event_args(my_event3,
> mytest($b="1")));
>
> myrecord2 is a set of two records.  If you only want to send one of the
> records, just send one of the records, not the set.
>
> It might make more sense if you describe what you're trying to do here.
>
> --
> - Justin Azoff
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20161115/cf6a4d89/attachment.html

More information about the Bro mailing list