[prev in list] [next in list] [prev in thread] [next in thread] 

List:       bro
Subject:    [Zeek] Report SumStat$epoch_result with no observations
From:       Pedro_Magalhães <pedromagalhaes_2000 () hotmail ! com>
Date:       2021-12-17 1:45:15
Message-ID: 163970551577.653.13922576278439130946 () lists ! zeek ! org
[Download RAW message or body]

Hey guys,
I've written this small Zeek script to count and print the number of ICMP requests \
seen every specific time interval. Unfortunately, it does not report the value if \
there are no observations in that time interval... Any suggestion on how I could make \
it so it still reports 0 if there are no observations?

Best regards,
Pedro

@load base/frameworks/sumstats

module METRIC_TRACK;

export {
    const icmp_request_epoch_interval = 5secs &redef;
}

event zeek_init()
{
    local icmp_request_r = SumStats::Reducer($stream="metric.icmp.request", \
$apply=set(SumStats::SUM));  SumStats::create([$name = "metric.icmp.request.count", 
                      $reducers = set(icmp_request_r),
                      $epoch = icmp_request_epoch_interval,
                      $epoch_result(s: time, key: SumStats::Key, result: \
SumStats::Result) =  {
                          print(fmt("Found %d icmp requests in the last interval", \
double_to_count(result["metric.icmp.request"]$sum)));  }
    ]);
}

event icmp_echo_request(c: connection, info: icmp_info, id: count, seq: count, \
payload: string) {
    SumStats::observe("metric.icmp.request", SumStats::Key(), \
SumStats::Observation($num=1)); }

--
zeek mailing list -- zeek@lists.zeek.org
To unsubscribe send an email to zeek-leave@lists.zeek.org


[prev in list] [next in list] [prev in thread] [next in thread]