time range comparisons

Carter Bullard carter at qosient.com
Fri Jan 26 15:00:08 EST 2007 

Gentle people,
I'm finishing up the "-t " option specification and implementation, as
requested on the mailing list.  We now have wildcarding on any
time field.  All this flexibility makes the filter a bit complicated,  
and
the feature set is important, so the documentation becomes very
important.

In order to make it a bit simpler, I've changed the behavior so that
there is no implicit wildcarding any more.  What that means is, if
you don't specify a year, month, or a day, the time filter assumes
this year, this month and today (prior to this the filter would
match on any year, month or day and performance was really bad,
as we had to do a lot of bending over to do the wildcarding).

I did this really to make the rules a bit easier, and to remove 'hidden'
functionality/behavior/complexity.

There are two basic formats for specifying a time.  You can use a
standard time format, like " yyyy/mm/dd.HH:MM:SS" or you can
use a %d[ymdHMS] like format.   A number by itself, is the later
form, and the default is 'H'.

All times are actually ranges.  If you specify a single time, the lowest
level of granularity you specify will be duration of the range. As an
example, if you specified down to the minute, the time range will
cover that entire minute.

So now if you were to specify a simple time filter such as:
    -t 12

It will only match records that intersect 12:00:00-13:00:00, today.
The default format is the "%d[ymdHMS] format and the 'H' is the default.


So here are some other real examples:

    -t 2007/01/25.12:45
    -t 25d12H45M
    -t 23M

If you leave out a value, say for the year or the month, or whatever,
you'll get the current value, say this year, this month, this day, this
hour, etc....

To get wildcarding, you put '*' in the field you want to wildcard.
For the standard time format, field lengths are important!!!!

So to match 12 noon to 1 PM on any day last month:
    -t 2006/12/**.12
    -t 2006y12m*d12H

But to match 12 noon to 1 PM on any day this month (this being key):
    -t **.12
    -t **d12H


So what do you think?  Is this a bit more understandable/usable?
Comments are more than welcome!!!

Carter

More information about the argus mailing list