Hey Michael,
I tried to stick to what you had and assumed this rest. I got it to work and here is what I had.
type Bandwidth: record {
pair: string &log;
bytesIn: count &log;
bytesOut: count &log;
};
global bandwidth: set[Bandwidth];
event connection_state_remove(c: connection){
local mypair=
fmt("%s,%s",c$id$orig_h,c$id$resp_h);
local bin= c$orig$size;
local bout= c$resp$size;
local thispair: Bandwidth;
thispair$pair = mypair;
thispair$bytesIn = bin;
thispair$bytesOut = bout;
if (thispair in bandwidth)
print fmt(“My pair %s”,thispair);
else{
print fmt(“My pair 2 %s”,thispair);
add bandwidth[thispair];
}
}
Here are results:
My pair 2 [pair=2601:347:c200:xxx:xxx:xxx:xxx:xxx,2607:f8b0:xxx:xxx::xxx, bytesIn=2737, bytesOut=1350]
My pair [pair=192.168.x.x,224.0.0.252, bytesIn=54, bytesOut=0]
I don’t think any bytes will return NULL, but you may want to consider doing " &log &optional ".
Also… this was ran on bro-2.4.
Hope this helps!
RedLight