[Zeek] Using "dbl" instead of "num" in SumStats

Jim Mellander jmellander at lbl.gov
Mon May 6 10:49:02 PDT 2019 

Hmmm, that SumStats::observe line doesn't seem quite correct.  Generally,
observations are in the form:

SumStats::observe("foo", [$host=bar], [$dbl=val]);

Assuming what you sent was just a typo,  it would be interesting to know
whether the same behavior is seen both in a cluster and standalone, as
SumStats uses a different code path for those two cases.  If only the
cluster gives a different result (likely less than the manual count), then
I would be concerned that that not all cluster results are being received
by the manager when it composes the results.

Jim

On Mon, May 6, 2019 at 9:56 AM Hui Lin (Hugo) <hlin33 at illinois.edu> wrote:

> Hi Jim,
>
> I think 'num' field seemed like what I am looking for. However, when I
> tried, it is different from the count that I manually made. Here is the
> codes that I used to count. As you can see, what I try to is easy,
> whenever, an observation is received, I increase the value of a global
> value. However, when I print out through epoch call back function, the
> value is different from one in 'num'.
>
> if (...)
>      {
>      total_res = total_res + 1;
>      SumStats::observe("dnp3 rtt", SumStats::Key(),
> SumStats::Observation($dbl=latency));
>      }
>
>
> Best,
>
> Hugo
>
> On Mon, May 6, 2019 at 9:16 AM Jim Mellander <jmellander at lbl.gov> wrote:
>
>> Hi Hugo:
>>
>> <snip>
>> May I suggest a few things in SumStats? Maybe I missed something, I don't
>> know how to directly obtain the number of data recorded in SumStats, so I
>> need to declare another global variable to record that. It will be useful
>> that we can directly know how many data are recorded by far. The reason
>> that I need the number of records is to calculate the 95% or 99% confidence
>> interval. It will be great that we can include them directly in SumStats as
>> well.
>> <snip>
>>
>> Each result record returned to epoch_result has a 'num' field, which is a
>> count of the number of observations that made up that result - is that what
>> you're looking for?  If you're looking for a grand total of observations, I
>> suppose they could be totalled up from the result records.
>>
>> Take care,
>>
>> JIm
>>
>>
>
> --
> Hui Lin
> Ph.D. Candidate (http://hlin33.web.engr.illinois.edu/)
> DEPEND (http://depend.csl.illinois.edu/)
> ECE, Uni. of Illinois at Urbana-Champaign
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190506/60b55c22/attachment.html

More information about the Zeek mailing list