select element of set of records

Reinhard_Gentz · November 15, 2016, 8:43pm

Hi

I want to send one element of a set of records to a remote event via broker to python. But i can only set the complete set of records

The code below works, but i receive all elements of the set of records, not just the one i want to select. When I execute the code below on the other side i receive {(whatever, 1), (whatever, 2)} but i only want to receive {(whatever, 1)}. I know i can filter out the unnecessary data in python, but it seems wasteful of the bandwidth and computation needed.

type mytest: record{
b: string &default= “inhere”;
};
type myrecordset: set[mytest];
local myrecord2 = myrecordset([$b=“1”],[$b=“2”]);

global my_event3: event(msg: myrecordset);

Broker::send_event(“bro/events/my_event”, Broker::event_args(my_event3,myrecord2[mytest($b=“1”)]));

Azoff_Justin_S · November 15, 2016, 9:33pm

I don't really follow.. why aren't you just doing

global my_event3: event(msg: mytest);
Broker::send_event("bro/events/my_event", Broker::event_args(my_event3, mytest($b="1")));

myrecord2 is a set of two records. If you only want to send one of the records, just send one of the records, not the set.

It might make more sense if you describe what you're trying to do here.

Reinhard_Gentz · November 15, 2016, 9:46pm

The reason is that the creation of the set elements and sending them out might not happen at the same time and i do not know how how many elements I will have.
The overall idea is that i make one element in the set for each ip address observed, that will have each the corresponding subelements a,b,c saved.
If a critical condition occurs then send the record of that single ip (with the corresponding elements a,b,c) out to python for handling.

Second from that I thought i can access the elements the following way but it does not work as expected, tell me what i am doing wrong:
myrecord2[mytest($b=“1”)]$a #from myrecord2 take the set element record where b is “1” and from that return the content of a.

Azoff_Justin_S · November 15, 2016, 9:55pm

You don't want a set then, you want a table[string] of mytest and

mytable["1"] = mytest($b="1", a="2");
mytable["2"] = mytest($b="2", a="4");
...
mytable["1"]$a

or something similar.. It's hard to say without more information.. but you definitely do not want a set.

Reinhard_Gentz · November 15, 2016, 11:27pm

Thank you for your input. The conversion to tables did what I wanted. Thanks

As a side effort to this project I made a bro2rabbitmq script that can take any data from bro and send it out to rabbitmq via broker. Once fully finished I will upload it to github…

Topic		Replies	Views
How to use Broker::Data in an event handler? Development development	5	102	May 6, 2022
Atomic operations on Broker store Zeek	3	77	May 6, 2022
Side effects on record fields when triggering events Zeek	2	54	May 6, 2022
Reading a table from an external file Zeek	6	66	May 6, 2022
Accessing elements in set type Zeek development	1	176	December 1, 2022

select element of set of records

Related Topics