You'll get a better error message/behavior now using:
https://github.com/bro/bro/commit/f336c8c710bdeb41eb0aba88967ee90da24848b2
But ultimately, you likely want to do something like this patch:
--- known-hosts-with-dns.bro.orig 2018-08-15 11:07:41.000000000 -0500
+++ known-hosts-with-dns.bro 2018-08-15 10:44:03.000000000 -0500
@@ -113,7 +113,7 @@
for (ip in r$result as addr_set){
when ( local res = Broker::get(Known::host_store$store,ip)){
- if(res?$result){
+ if(res$status == Broker::SUCCESS){
@if ( ! Cluster::is_enabled() )
Known::hosts[ip] = fmt("%s",res$result as string);
@else
As for why some keys no longer exist in those lookups immediately
after retrieving the full key set: my guess is they simply expired
between those two points in time, but I didn't dig into it. The main
point would be to never assume the Broker::get() call succeeds, which
was likely your intent, except "res?$result" is always true (another
form of checking the data exists would be "res$result?$data").
- Jon