[Zeek] Using "dbl" instead of "num" in SumStats

Hui Lin (Hugo) hlin33 at illinois.edu
Mon May 6 11:32:17 PDT 2019 

I am afraid that is not a typo. I copy paste from the documentation at
https://docs.zeek.org/en/stable/frameworks/sumstats.html#examples. I think
what I wrote is consistent with what you provide, instead I directly call
Key and Observe constructor for the second and third parameters.  I am just
using standalone version to analyze a pcap. More interestingly, as the
periodic epoch call back function print out, the "num" field of the epoch
result can decrease!

On Mon, May 6, 2019 at 10:49 AM Jim Mellander <jmellander at lbl.gov> wrote:

> Hmmm, that SumStats::observe line doesn't seem quite correct.  Generally,
> observations are in the form:
>
> SumStats::observe("foo", [$host=bar], [$dbl=val]);
>
> Assuming what you sent was just a typo,  it would be interesting to know
> whether the same behavior is seen both in a cluster and standalone, as
> SumStats uses a different code path for those two cases.  If only the
> cluster gives a different result (likely less than the manual count), then
> I would be concerned that that not all cluster results are being received
> by the manager when it composes the results.
>
> Jim
>
> On Mon, May 6, 2019 at 9:56 AM Hui Lin (Hugo) <hlin33 at illinois.edu> wrote:
>
>> Hi Jim,
>>
>> I think 'num' field seemed like what I am looking for. However, when I
>> tried, it is different from the count that I manually made. Here is the
>> codes that I used to count. As you can see, what I try to is easy,
>> whenever, an observation is received, I increase the value of a global
>> value. However, when I print out through epoch call back function, the
>> value is different from one in 'num'.
>>
>> if (...)
>>      {
>>      total_res = total_res + 1;
>>      SumStats::observe("dnp3 rtt", SumStats::Key(),
>> SumStats::Observation($dbl=latency));
>>      }
>>
>>
>> Best,
>>
>> Hugo
>>
>> On Mon, May 6, 2019 at 9:16 AM Jim Mellander <jmellander at lbl.gov> wrote:
>>
>>> Hi Hugo:
>>>
>>> <snip>
>>> May I suggest a few things in SumStats? Maybe I missed something, I
>>> don't know how to directly obtain the number of data recorded in SumStats,
>>> so I need to declare another global variable to record that. It will be
>>> useful that we can directly know how many data are recorded by far. The
>>> reason that I need the number of records is to calculate the 95% or 99%
>>> confidence interval. It will be great that we can include them directly in
>>> SumStats as well.
>>> <snip>
>>>
>>> Each result record returned to epoch_result has a 'num' field, which is
>>> a count of the number of observations that made up that result - is that
>>> what you're looking for?  If you're looking for a grand total of
>>> observations, I suppose they could be totalled up from the result records.
>>>
>>> Take care,
>>>
>>> JIm
>>>
>>>
>>
>> --
>> Hui Lin
>> Ph.D. Candidate (http://hlin33.web.engr.illinois.edu/)
>> DEPEND (http://depend.csl.illinois.edu/)
>> ECE, Uni. of Illinois at Urbana-Champaign
>>
>>

-- 
Hui Lin
Ph.D. Candidate (http://hlin33.web.engr.illinois.edu/)
DEPEND (http://depend.csl.illinois.edu/)
ECE, Uni. of Illinois at Urbana-Champaign
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190506/655def7b/attachment-0001.html

More information about the Zeek mailing list