I'm writing to a global table with two items in a set (global blah: set[addr,string] &write_expire = 4 hrs;)
I'm adding items into the table like this: add blah[a,b];, then adding a notice for an external parser to deal with. Is there any way to only send the notice every four hours?
Is there any way to only send the notice every four hours?
Assuming you want to report a single entry every 4 hours, a common idiom
is to maintain a separate set that tracks the entries already reported:
global blah_reported: set[addr,string] &create_expire = 4 hrs;
And in your event handler:
if ([a,b] !in blah_reported)
If you want to instead elicit a list of Notice every 4 hours, you would
need to implement some notice buffering. (Depending on your analysis,
this could be quite memory-intensive and thus requires care.) In this
setting, you could let a dummy variable expire and flush the buffer with
notices in the expiration function - scan.bro uses a similar technique.