Time filters

Rafael Barbosa rrbarbosa at gmail.com
Tue Jul 13 11:08:11 EDT 2010


Hi,

I can confirm that in version 3.0.3.15 the time filters are being handled
correct by ra, I just did a few tests and in all of them I've got the
expected results. However I am still not use to use ragraph together with
time filters. I get the  same result as before (now with -D5 flag):

$ragraph -D5 pkts -M 5min  -t 2009/01/22  -r file.argus -title "Total Load"
-w pkts-peak.png
rabins[21152.20cc2670ff7f0000]: 16:51:46.412716 ArgusFilterCompile ()
waiting for filter process 21153 on pipe 3
rabins[21153.20cc2670ff7f0000]: 16:51:46.412989 ArgusFilterCompile ()
calling argus_lex_init(pkts -M 5min -t 2009/01/22 -r flie.argus)
rabins[21153.20cc2670ff7f0000]: 16:51:46.413115 ArgusFilterCompile ()
calling argus_parse()
rabins[21152.20cc2670ff7f0000]: 16:51:46.612906 ArgusFilterCompile () filter
process 21153 terminated
rabins[21152.20cc2670ff7f0000]: 16:51:46.612955 ArgusFilterCompile () child
21153 exited 1
rabins[21152.20cc2670ff7f0000]: 16:51:46.813204 ArgusFilterCompile () done
-1
rabins[21152]: 16:51:46.813252 pkts -M 5min -t 2009/01/22 -r file.argus
filter syntax error
rabins[21152.20cc2670ff7f0000]: 16:51:46.814104 ArgusShutDown (-1)
rabins[21152.20cc2670ff7f0000]: 16:51:46.814238 ArgusDeleteQueue (0x500200)
returning
rabins[21152.20cc2670ff7f0000]: 16:51:46.814333 ArgusDeleteQueue (0x500260)
returning
rabins[21152.20cc2670ff7f0000]: 16:51:46.814417 RaParseComplete(caught
signal -1)
usage: /Users/barbosarr/workspace/argus-clients-3.0.3.15/bin/ragraph metric
(srcid | proto [daddr] | dport) [-title "title"] [ra-options]
/Users/barbosarr/workspace/argus-clients-3.0.3.15/bin/ragraph: unable to
create `/var/tmp/tmp.0.pU5NQN.rrd': start time: unparsable time:

The patch you proposed before does not seem to be in use for version
3.0.3.15. I also tried to apply the patch myself, but the error is the same.

Rafael

On Tue, Jul 13, 2010 at 4:04 PM, Rafael Barbosa <rrbarbosa at gmail.com> wrote:

> Did some quick tests and it seems that everything works in version
> 3.0.3.15:
> $./ra -D5 -t  2009/01/22.00-2009/01/22.23
> ra[20791.20cc2670ff7f0000]: 15:58:35.724971 ArgusParseTime (0x512000,
> 0x512108, 0x7026e960,2009,  , 0.000004) retn 1232578800: 1606413180
> ra[20791.20cc2670ff7f0000]: 15:58:35.725100 ArgusParseTime (0x512000,
> 0x512140, 0x512108,2009, -, 0.000004) retn 1232661600: 1606413176
> ra[20791.20cc2670ff7f0000]: 15:58:35.728315 ArgusCheckTimeFormat
> (0x7026e960, 2009/01/22.00-2009/01/22.23) retn 0:
> 1232578800.000000-1232661600.000000
> ra[20791.20cc2670ff7f0000]: 15:58:35.728330 ArgusParseTimeArg
> (2009/01/22.00-2009/01/22.23, 4, 0x7026e960)
>
> $./ra -D5 -t  2009/01/22
> ra[20787.20cc2670ff7f0000]: 15:57:08.660057 ArgusParseTime (0x512000,
> 0x512108, 0x512140,2009,  , 0.000003) retn 1232578800: 1606413212
> ra[20787.20cc2670ff7f0000]: 15:57:08.660308 ArgusCheckTimeFormat
> (0x7026e960, 2009/01/22) retn 0: 1232578800.000000-1232665200.000000
> ra[20787.20cc2670ff7f0000]: 15:57:08.660443 ArgusParseTimeArg (2009/01/22,
> 4, 0x7026e960)
> ra[20787.20cc2670ff7f0000]: 15:57:08.660922 ArgusAddFileList (0x512000, -,
> 1, -1, -1) returning 1
>
> And in my system:
> $date -r 1232578800
> Thu Jan 22 00:00:00 CET 2009
> $date -r 1232661600
> Thu Jan 22 23:00:00 CET 2009
> $date -r 1232665200
> Fri Jan 23 00:00:00 CET 2009
>
> I still did not have the time to replot the graphs. However, as the time
> ranges are being decoded correctly, I expect everything to be OK. I will
> report back if I have any further problems with these time filters.
>
> Thanks,
> Rafael
>
>
> On Tue, Jul 13, 2010 at 9:47 AM, Rafael Barbosa <rrbarbosa at gmail.com>wrote:
>
>> I will install this version and report the results better today. Regarding
>> the summer time, yes we do have it, from the last Sunday of March to the
>> last Sunday of October.
>>
>> Rafael
>>
>> On Tue, Jul 13, 2010 at 4:11 AM, Carter Bullard <carter at qosient.com>wrote:
>>
>>> Hey Rafael
>>> The new argus-clients-3.0.3.15 fixes this problem.  Please
>>> give this a try on your machine to see if you don't see a correction.
>>>
>>>    http://qosient.com/argus/dev/argus-clients-3.0.3.15.tar.gz
>>>
>>> Carter
>>>
>>>  On Jul 12, 2010, at 11:08 AM, Rafael Barbosa wrote:
>>>
>>> Ok. Let me try answer all questions:
>>>
>>>
>>> When I convert your range for Jan 22, 2009, using
>>>
>>> "date -r 1232492400" and "date -r 1232578800", I get the range:
>>>
>>>
>>>>    Tue Jan 20 18:00:00 EST 2009 - Wed Jan 21 18:00:00 EST 2009
>>>
>>>
>>>> Do you get similar results on your system?
>>>
>>>
>>> I get a different range, by the way, I am using a MacOS X 10.6.4:
>>> $ date -r 1232492400
>>> Wed Jan 21 00:00:00 CET 2009
>>> $ date -r 1232578800
>>> Thu Jan 22 00:00:00 CET 2009
>>>
>>> Does this mean ra is checking the day 21 instead of 22 in my system?
>>>
>>> Where are you located and what timezone is your system using?
>>>
>>>
>>> Enschede, NL - Central European Timezone (CET)
>>>
>>> Are you using the RA_TZ variable in your raTime.conf file? What
>>>> string are you using there?
>>>
>>> No.
>>> $ cat raTime.conf
>>> RA_TIME_FORMAT="%F_%H:%M"
>>>
>>> What range does your client show when you use the times that do work?
>>>>    ra -D5 -t  2009/01/22.00-2009/01/22.23
>>>>
>>> ra[9394.20cc2670ff7f0000]: 16:47:54.678576 ArgusCheckTimeFormat
>>> (0x7026e960, 2009/01/22.00-2009/01/22.23) retn 0: 1232492400-1232661600
>>>
>>> And how does your system interpret those time ranges?
>>>
>>> Wed Jan 21 00:00:00 CET 2009 - Thu Jan 22 23:00:00 CET 2009
>>>
>>> My understanding is that the filter "2009/01/22" is checking day 21 in my
>>> system while  "2009/01/22.00-2009/01/22.23" include all flows from day 21
>>> until 23h at day 22. Is that correct?
>>>
>>> Best regards,
>>> Rafael
>>>
>>> ps.: In my timezone is 5pm now, so I probably can only reply to a follow
>>> up message tomorrow...
>>>
>>>
>>>
>>>  Carter Bullard
>>> CEO/President
>>> QoSient, LLC
>>> 150 E 57th Street Suite 12D
>>> New York, New York  10022
>>>
>>> +1 212 588-9133 Phone
>>> +1 212 588-9134 Fax
>>>
>>>
>>>
>>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20100713/65425d67/attachment.html>


More information about the argus mailing list