racluster request

[Denton, Rick]

would it be feasible to prehaps add a flag to the racluster config lines
to flag them as final?

with racluster and ragator the first matching rule matched and
processing stopped at that rule.. what i would _really_ like is to be
able to control more specifically which aggregates contained which data
by allowing multiple entries in the racluster.conf table to match...

a simplistic way to do this would be to allow for a 'final' flag on an
entry to say whether or not to stop processing yet.. this doesn't
completely do it but provides somewhat more control..

for example to aggregate per service aswell as per protocol yielding
totals for both in a single run of racluster..

this would save me from having to make multiple passes over the data
which wuold save a _lot_ of processing time.. this coupled with the more
flexible filter="" matching on racluster over ragator would also reduce
a stage of prefiltering and reduce the processing time significantly
over filtering seemingly arbitrarily assigned  address ranges and
counting of the approx 80gb of heavily compressed raw argus data a month
:/