Correct way to log record with modification

Hi all!
I am new with bro and try to solve programming problem:

I am catching dns packets from the interface, changing some fields and try to write it to log.

For that goal, i use record with the fields:
Type info: record{
Ts: string &log;
Src_ip: addr &log;
Query: string &log;
}

Getting the dns data from conn log.
Making manipulation on the ts, like changing format.

And than writing the fields to a new log:
Log::write(new_dns::Log, [$ts=change_format_func(conn$ts),
$src_ip=conn$src_ip,
$query=conn$query]

Here is the questions:

  1. How i handle with uninitialize field? The assignment conn$query failed.
  2. If i have a lot of fields to log, do i need to write them all in the write commans or there is some shortcut? Remeber that i must modify the fields.

Love for your help,
John

1. How i handle with uninitialize field? The assignment conn$query failed.

You can first check if it's initialized via the ?$ operator. More docs on various operators at [1].

2. If i have a lot of fields to log, do i need to write them all in the write commans or there is some shortcut? Remeber that i must modify the fields.

You don't have to put the them inside the Log::write() function call, though there's no getting around the fact that you'll need to create one 'info' value per call. You can do that inline with the call like you had shown or you can create the value and store it in a local/global variable, or possibly abstract out common patterns that you find into some other custom function. You can decide whichever way fits.

- Jon

[1] https://www.bro.org/sphinx/script-reference/operators.html