[Zeek] Proper way to reference potentially missing key
Jon Siwek
jsiwek at corelight.com
Thu Apr 4 09:19:09 PDT 2019
On Thu, Apr 4, 2019 at 8:59 AM Woot4moo <tscheponik at gmail.com> wrote:
>
> How can one reference a potentially missing key such that the script will not terminate? For example in a file_new event, if I reference the mime_type attribute and it is uninitialized I receive “no such field in record”
>
> Example code below:
>
> if( f?$mime_type) #error here
That's the correct way to check for uninitialized &optional values,
but the error here is saying there's "no such field", not that the
"field is uninitialized. i.e. there is no "mime_type" field in the
"fa_file" record type. You're probably meaning to access
f$info$mime_type, which gets populated via the "file_sniff" event's
"fa_metadata" record's "mime_type" field.
(You can check if a record contains a field name by using the
"record_fields" function to introspect, but that's not a typical thing
people do and likely not what you really want).
- Jon
More information about the Zeek
mailing list