[Zeek] Using "dbl" instead of "num" in SumStats
Hui Lin (Hugo)
hlin33 at illinois.edu
Sun May 5 11:15:47 PDT 2019
Hi Jim,
Thanks for the help. It seemed that I made a stupid mistake. I did exactly
what you suggested replacing dbl with num in the observation. However, when
I copy the print fmt function from the example into the call back function,
I forget to let it print more effective decimals bits. So I always obtain
0, which makes me think that the "observer" is still using "num". Hope
that this record can help others who want to use double type instead of
count types in SumStats.
Yes, as you may know, I contributed DNP3 analyzer in Bro with Robin and
Seth. So I still use Bro to measure network traces related to DNP3 network
packets, related to my research work. At first, I was a little bit of
daunting of using SumStats, but it turns out to be very easy. I just use
application layer event to calculate round trip time between DNP3 request
and responses and trigger SumStats::observe event to record the latency.
(to calculate goodput). Then I just calculate the average and standard
deviation. RTT is very basic network measurement, so I find SumStats very
useful.
May I suggest a few things in SumStats? Maybe I missed something, I don't
know how to directly obtain the number of data recorded in SumStats, so I
need to declare another global variable to record that. It will be useful
that we can directly know how many data are recorded by far. The reason
that I need the number of records is to calculate the 95% or 99% confidence
interval. It will be great that we can include them directly in SumStats as
well.
Best,
Hugo
On Sun, May 5, 2019 at 10:55 AM Jim Mellander <jmellander at lbl.gov> wrote:
> Hi Hugo:
>
> The observation record is defined
> (share/bro/base/frameworks/sumstats/main.bro) as:
> ## Represents data being added for a single observation.
> ## Only supply a single field at a time!
> type Observation: record {
> ## Count value.
> num: count &optional;
> ## Double value.
> dbl: double &optional;
> ## String value.
> str: string &optional;
> };
>
> so in SumStats::observe, you would supply the dbl optional value instead
> of num, e.g.
>
> SumStats::observe("mysumstat",
> SumStats::Key($host=foo),
> SumStats::Observation($dbl=bar));
>
> (don't supply more than 1 optional value).
>
> Hope this helps. BTW: I'm interested in the uses that folks find for sumstats. Care to comment on your use case?
>
> Jim
>
>
> On Sun, May 5, 2019 at 10:38 AM Hui Lin (Hugo) <hlin33 at illinois.edu>
> wrote:
>
>> Hi
>>
>> By default, SumStats will apply calculation on "num" instead of "dbl".
>> How can I make it apply calculation on dbl instead?
>>
>> Thanks
>>
>> Hui Lin
>>
>> --
>> Hui Lin
>> Ph.D. Candidate (http://hlin33.web.engr.illinois.edu/)
>> DEPEND (http://depend.csl.illinois.edu/)
>> ECE, Uni. of Illinois at Urbana-Champaign
>>
>> _______________________________________________
>> Zeek mailing list
>> zeek at zeek.org
>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek
>> <https://urldefense.proofpoint.com/v2/url?u=http-3A__mailman.ICSI.Berkeley.EDU_mailman_listinfo_zeek&d=DwMFaQ&c=OCIEmEwdEq_aNlsP4fF3gFqSN-E3mlr2t9JcDdfOZag&r=OnWVBZe4J-_YZZ3rt0XzAVzULLWssyCdTFXvun65UbM&m=S157xNSA7OffDwgDs4I7kKPRYC-UXdJNBso6cm2aesE&s=A3vg6fYc-oa-9LOFSgia5Cegvp-fXnUZ12D1RJuZWf8&e=>
>
>
--
Hui Lin
Ph.D. Candidate (http://hlin33.web.engr.illinois.edu/)
DEPEND (http://depend.csl.illinois.edu/)
ECE, Uni. of Illinois at Urbana-Champaign
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190505/7416eeb4/attachment-0001.html
More information about the Zeek
mailing list