[Bro] Uninitialize field
Jon Siwek
jsiwek at corelight.com
Tue May 1 08:11:23 PDT 2018
On 5/1/18 8:05 AM, John Y wrote:
> I am using the connection type to make custom logging.
> How can i check that each of his fields are initialize before i pull them?
If you want to check that a single field exists, use the ?$ operator.
See [1] for operator docs.
If you want to check that a set of fields exists (e.g. all of them),
then you'll either need to individually check them all via the ?$
operator you use the record_fields() function [2] to introspect whether
some set of fields in the record are initialized. I'm guessing the
introspection route is overkill for what you need, though just
mentioning it for completeness.
- Jon
[1] https://www.bro.org/sphinx/script-reference/operators.html
[2]
https://www.bro.org/sphinx/scripts/base/bif/bro.bif.bro.html?highlight=record_fields#id-record_fields
More information about the Bro
mailing list