racluster request

carter at qosient.com carter at qosient.com
Thu Oct 26 18:52:53 EDT 2006


Hey Rick,
Oh, I had a simple suggestion.  I can add a "cont" flag to help you get what you're interested in.  One problem with your original suggestion is that it changes the whole paradigm, so that older confif's would no longer work, this would avoid that problem.

The "-M ramon" operation causes the program to duplicate the record and reverse all the fields.  That may seem weird at first, but what it does is remove all the directional semantics.  What you end up with is all the objects are now in the 'src' fileds, and the metrics represent transmitted and received.  May seem weird, but it works.

Carter

Carter Bullard
QoSient LLC
150 E. 57th Street Suite 12D
New York, New York 10022
+1 212 588-9133 Phone
+1 212 588-9134 Fax  

-----Original Message-----
From: "Denton, Rick" <rick.denton at cybertrust.com>
Date: Fri, 27 Oct 2006 08:17:38 
To:<carter at qosient.com>,"Argus" <argus-info at lists.andrew.cmu.edu>
Subject: RE: [ARGUS] racluster request

> 
> How about multiple sections in the racluster.conf file, with 
> separate rules and outputs? Each record is processed against 
> all the sections?

separate outputs sounds interesting but not neccessarily what one
wants.. you may want the separate aggregates in the same output for any
further processing.. but an option on the rule to specify an output
cuold be good thing..

> I also see how a simple fall through logic can be too simple, 
> but to do any other approach really begs for a programatic 
> like strategy, with "if then" like statements.  If your 
> interested in scoping this type of approach, we can do a 
> compiler for it!!!

possibly yes.. this is now becomming reminiscent of NeTraMet's err..
interesting.. language.. let's not use its ;)

racount is now just a special case of racluster (as i presume ramon is
also) but to racount and aggregate on separate things currently involves
multiple passes. Despite this i have never been able to figure out how
ramon 'folds' things together and have never managed to reproduce the
figures it produces by slicing and dicing anything else :\

a fall through with limitter and sensible arrangement of rules would
help a lot.. but defining a language / grammar for it would be more
entertaining (to my warped mind at least) :)

i'll have a think about a potential language and/or any other useful
approaches that may work.

... and it would be good if it's name was say.. 'ragator', the friendly
dragon ;) since it is still an aggregator .. 'racluster' sounds like it
is going to do something funky with multiple argii probes.. sort of like
radium i guess.. rather than 'cluster' flows..



More information about the argus mailing list