argus suggestions please

[Carter Bullard]

Oooops, I left out a step in my suggestion for building the top
20 talkers in a day, when you're memory constrained.  My
suggestion was:




On Oct 8, 2007, at 10:35 AM, Carter Bullard wrote:

> So Michael,

> [snip]

> If I was doing it,  and I wanted to generate your lists and a top  
> 20 talkers
> list at the end of the day and graph it, and I was challenged on  
> memory,
> I would do this (assuming the mac addresses in the argus records are
> the ones you want):
>
>    racluster -M norep -f ${file} -w - - ip | \
>    racluster -m smac saddr proto -M rmon -w - | \
>    rasort -m bytes smac saddr -w - | \
>    ra -N 1000 -w ${stats_dir}/...../day/period
>
> This will generate at the end of each time period the top 1000 talkers
> database: then when its time to generate the top 20 talkers for the  
> day:
>
>    rasort -R ${stats_dir}/.../day -m bytes smac saddr -w - |\
>    ra -N 20 -w top20.talkers.list
>
> That would really fly, I suspect.
>


I left an aggregation step when its time to generate the top 20 talkers
for the day.  In the first phase you end up with the top 1000 talkers  
for
each time period, those instructions are cool, but when its time to  
generate
the daily top talkers list, you need to take those files and aggregate
them to get the single top talkers list.  The complete set for
phase two should be:

    racluster -m smac saddr -R ${stats_dir}/..../day -w - | \
    rasort -m bytes smac saddr -w - | \
    ra -N 20 -w top20.talkers.list