simple ra time filter question...

Carter Bullard carter at qosient.com
Thu Jan 4 10:03:28 EST 2007 

Hey Poncenby,
Hmmmm, well you can't do the wildcard year thing given the current
strategy.   I'll add this feature, but its low on the priority list.
    -t "****/11"

Carter


On Jan 3, 2007, at 5:13 PM, poncenby smythe wrote:

> Carter Bullard wrote:
>> Hey Philipp (and poncenby),
>> I found a problem in the time parsing, and all seems to be working  
>> now.
>> I'll try to put up new code tomorrow, or later tonight.
>>> On Wed, Dec 20, 2006 at 11:27:00PM +0000, poncenby smythe wrote:
>>>> what would the command line look like to read an argus file  
>>>> 'argus.data'
>>>>   and only show records for November 2006?
>> this filter will work with older versions of argus-3.0:
>>    "-t 2006/11/01+1M"
>> this will work now with the fixes I put in, and would be a better  
>> filter:
>>    "-t 2006/11+1M"
>
> thanks for clearing that up, the second example seems logical as  
> this is the method for specifying a range or hours/minutes/seconds.
>> If you only have one "/", it assumed that you were specifying "mm/ 
>> dd",
>> which is in the documentation.  Now it will accept "yyyy/mm".
>
> what would the -t value be to filter on all records in November,  
> spanning multiple years?
>
>> There is some ambiguity on how the time range works, and so
>> I'll need some help to describe it so that its understandable.   
>> Here's
>> a start, but more is needed, so if we can get a dialog going, at  
>> least
>> it will be in the mail archive.
>> There are basically 2 time strategies, explicit and relative time,
>> and three range comparisons; span, inclusive, and exclusive.
>> Explicit is specified with two complete time values, (explicit  
>> start and stop
>> times with year, month, day, hour, min, and sec specified).   If  
>> the start time
>> value is explicit, then the second time will also be explicit, so  
>> you don't have
>> to put in the year, in both, as an example (unless you cross a year
>> boundary, of course :o).  Parsing the two values generates a fixed  
>> time
>> range that is compared against the timestamps in the argus records.
>> There are two ways to specify a time value; datetime and offset.
>> A datetime value has a year/month/day.hour:min:sec format, but you
>> don't have to provide the year, month, day, hour, minute or second
>> values if they are the same as the current time's values.
>> Offsets are [-/+] values from the current time, or from a given  
>> starting
>> point.  The format is [-/+] num"smhdMy", where the "smhdMy" stands  
>> for
>> seconds, minutes, hours, days, Months or years.  Offsets always force
>> the time to be explicit, as they are generally designed to specify  
>> a range
>> against the current time, which is an explicit time value.
>> Examples are:
>>    "2005/09/11.09:52:41-13:00:03"
>>    "01/02.23-23:11"
>>    "01.07:12:29-08:03:55"
>>    "-12d+5m"
>>    "2005/09/01+1M"
>>    "-5m"
>> However, be cautious with the offset specification.  The filters:
>>     " -2d+5m "
>>     " -2d-5m "
>> are different.  The first is the range "-2 days from now" to  
>> start, and the
>> ending time is "+5 minutes" later.  The second is the range "-2  
>> days -
>> 5 minutes" to start, and ends at "-2 days".  This is probably a  
>> bad thing,
>> but its the result of having signed values relative to a specified  
>> time.
>> So, for relative ranges, it will be best if you always use the "+"  
>> operator.
>> When the time is not completely specified, where the year, month
>> or day are not specified, then the time range is relative and as a
>> result, the time filter can match independent of year, month and/ 
>> or day.
>> So the filter:
>>    " 12-14 "
>> which is 12 noon to 2 PM, will match independent of what day you  
>> feed the
>> filter.  So if you run through a weeks worth of data, the time  
>> range will be
>> used against Mon, Tues, Wed, etc....  This is great for comparing  
>> time-of-day
>> trends and behaviors.  Because there is wildcarding, the  
>> performance is
>> not that good, so try to be explicit in your time range  
>> specifications.
>> The three comparison modes are there to specify how you want to  
>> compare
>> the times.  "Inclusive" is where the record start and stop times  
>> cover the
>> timerange.  This is great when you want to know "what flows were  
>> active
>> during this time range", and is invaluable for understanding flows  
>> that may
>> be used to control other flows.
>> "Exclusive" is where both the start and stop times are within the  
>> timerange.
>> This is important to find the dependent flows, ie flows that must  
>> complete
>> in order for this flow to finish.
>> "Span" allows for any overlap to match, this is the default.
>> You specify the type using "ies" as the first character of the  
>> time specification.
>
> not sure what "ies" means, the letter 'x' is the first character in  
> the example below
>
>> So, if you wanted to find any record that is totally contained  
>> within the
>> time range 12:31:15-12:53:16 on Dec 23, 2006:
>>    -t  x2006/12/23.12:31:15-12:53:16
>> OK, so if there is any issue with understanding the idea behind  
>> time filters,
>> please send some mail to the list!!!!
>
> apart from the comments above, clear as crystal!
>
>
>> Carter
>> On Dec 21, 2006, at 1:33 AM, Philipp E. Letschert wrote:
>>> On Wed, Dec 20, 2006 at 11:27:00PM +0000, poncenby smythe wrote:
>>>> what would the command line look like to read an argus file  
>>>> 'argus.data'
>>>>   and only show records for November 2006?
>>>
>>> ra -r argus.data -t 2006/11/01-2006/11/30
>>>
>>> The only drawback, is that you need to know the actual number of  
>>> days in a month
>>>
>>>> i can't understand the -t section of the man ra page at all!
>>>
>>> There are three possibilities what a time range could look like
>>> 1) [[[yyyy/]mm/]dd.]hh[:mm[:ss]]
>>> 2) [yyyy/]mm/dd
>>> 3) -%d{yMdhms}
>>>
>>> the parameters in square brackets are optional, so for 1)  
>>> specifying a number
>>> with 2 digits will always be interpreted as hour, you can expand  
>>> it to the left
>>> (by adding dd.) or to the right (by adding :mm).
>>>
>>> the second one shows how dates are handled, so you can see that  
>>> 2006/11 would
>>> beinterpreted as month/day, the only way to see the whole month  
>>> is using a range
>>> with '-'.
>>>
>>> the last one is puzzling to me, as I understood it is a offset  
>>> back in the past,
>>> so I expected either -1M or -51d-21d to show only records from  
>>> the last month,
>>> but this did not work.
>>>
>>> Regards, Philipp
>>>
>> ===========================================================
>> This email has been verified as Virus free
>> Virus Protection and more available at http://www.plus.net
>> ===========================================================
>> ===========================================================
>> This email has been verified as Virus free
>> Virus Protection and more available at http://www.plus.net
>> ===========================================================
>
>

Carter Bullard
CEO/President
QoSient, LLC
150 E. 57th Street Suite 12D
New York, New York 10022

+1 212 588-9133 Phone
+1 212 588-9134 Fax


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20070104/ae5c7eb2/attachment.html>

More information about the argus mailing list