Timeranges

Peter Van Epp vanepp at sfu.ca
Tue Feb 10 23:46:55 EST 2004 

        You will indeed have overlaps at the boundary. The time range command
accepts any flow that intersects the time range (i.e. starts before but ends
after the selected start time, or starts before the end time and ends after
the end time). This means that flows that cross the boundary either way will
be included in both sections. You would probably need to write something that
detected such flows and deleted them in one record or the other. 
	The simple solution of course would be to change your cron job for 
future entries to cut the interval in half and stick the two segements 
together in ra to process a whole day's records as you used to do before it 
got too large. That should avoid the split problem entirely with current 
technology.
        Another option would be to convince Carter to change the time range
command (possibly with a different flag) to something like a rule "if the
start is in the time range include it, if it isn't don't (because it will get
picked up in the next split interval)" which would include the flow in only one
of the two split flows at the cost of a change in semantics. A new flag may be 
in order because both options may be useful at different times since they do 
slightly different things. 
	We would need to think carefully about the boundary conditions though 
to make sure it doesn't do something unexpected (at first thought I think it 
should work though).

Peter Van Epp / Operations and Technical Support 
Simon Fraser University, Burnaby, B.C. Canada


On Wed, Feb 11, 2004 at 12:17:22PM +1000, Andrew Pollock wrote:
> On Wed, Feb 11, 2004 at 12:56:50PM +1100, Steve McInerney wrote:
> > Hi Andrew,
> > 
> > I've not done it for hours per se, but have done days. The ra man page 
> > gives the details on how to do hours as well. Just a minor modification.
> > 
> > from my notes:
> > ra -n -w ~/argus-oct.argus -t '2002/10/01-2002/10/31' -r 
> > /var/log/argus/argus.out.0.bz2 ?
> 
> What I'm currently experimenting with is:
> 
> ra -r 2003-12-01 -t 12/01.00-12
> and
> ra -r 2003-12-01 -t 12/01.12-24
> 
> but I suspect I'm going to have overlap/underlap issues.
> 
> i.e. I've already got logfiles on a daily basis, I want to split them down
> further
> 
> Andrew

More information about the argus mailing list