racluster request

[carter at qosient.com]

Well, there is no doubt that ragator() was a good name, so we maybe able to keep it going with this little project.  

OK, so getting some notion as to what we're contemplating.  I think in terms of streams and pipelines.  I can imagine a way to specify to ragator() that it set up many streams, and I can also think about branching streams, where at some point in a pipeline, we decide to split the stream into branches.  Once we set up the flow of records, then we can specify where along the stream aggregation should occur, and what the rules should be.  Could this type of system help?

Carter


Carter Bullard
QoSient LLC
150 E. 57th Street Suite 12D
New York, New York 10022
+1 212 588-9133 Phone
+1 212 588-9134 Fax  

-----Original Message-----
From: "Denton, Rick" <rick.denton at cybertrust.com>
Date: Fri, 27 Oct 2006 08:17:38 
To:<carter at qosient.com>,"Argus" <argus-info at lists.andrew.cmu.edu>
Subject: RE: [ARGUS] racluster request

> 
> How about multiple sections in the racluster.conf file, with 
> separate rules and outputs? Each record is processed against 
> all the sections?

separate outputs sounds interesting but not neccessarily what one
wants.. you may want the separate aggregates in the same output for any
further processing.. but an option on the rule to specify an output
cuold be good thing..

> I also see how a simple fall through logic can be too simple, 
> but to do any other approach really begs for a programatic 
> like strategy, with "if then" like statements.  If your 
> interested in scoping this type of approach, we can do a 
> compiler for it!!!

possibly yes.. this is now becomming reminiscent of NeTraMet's err..
interesting.. language.. let's not use its ;)

racount is now just a special case of racluster (as i presume ramon is
also) but to racount and aggregate on separate things currently involves
multiple passes. Despite this i have never been able to figure out how
ramon 'folds' things together and have never managed to reproduce the
figures it produces by slicing and dicing anything else :\

a fall through with limitter and sensible arrangement of rules would
help a lot.. but defining a language / grammar for it would be more
entertaining (to my warped mind at least) :)

i'll have a think about a potential language and/or any other useful
approaches that may work.

... and it would be good if it's name was say.. 'ragator', the friendly
dragon ;) since it is still an aggregator .. 'racluster' sounds like it
is going to do something funky with multiple argii probes.. sort of like
radium i guess.. rather than 'cluster' flows..