Excluding the 'record' field when using with rasqlinsert

Matt Brown matthewbrown at gmail.com
Mon Jun 24 13:13:55 EDT 2013 

Thanks Carter.  Details like this are just below the surface to you, but
"buried in the code" for (newish) users like me.  I believe there's value
in include the details.


Thanks,

Matt



On Jun 24, 2013, at 11:06 AM, Carter Bullard <carter at qosient.com> wrote:

Hey Matt,
This is documented in the racluster() man page.  Anytime you use
the " -m <aggregation object> " option, you are doing general
aggregation, which is covered by racluster().  I'll put a
statement to this effect in the rasqlinsert() man page.

We are having somes issues with 3.0.7.x rasqlinsert() at a few
sites, so if you are having problems, it may be related ( not
creating tables, not updated some flows).

I'm working these issues today, so if you run into a problem,
holler.  Hopefully it will be the same problem we're fixing.

Carter



On Jun 22, 2013, at 10:30 PM, Matt Brown <matthewbrown at gmail.com> wrote:

Very cool, Dave... Thanks.

What does this 'matrix' guy do?  I couldn't find it in the docs.


Thanks,

Matt



On Sat, Jun 22, 2013 at 12:18 AM, David Edelman <dedelman at iname.com> wrote:

> The magic incantation is   -M norec
>
> This works fine for me:
>
> /usr/local/bin/rasqlinsert -M time 1d -M cache  -S localhost:9603 -w
> mysql://argus@localhost/argus/testmatrix_%Y_%m_%d   -m srcid matrix proto
> -M
> norec -s ltime dur srcid saddr daddr smac dmac proto bytes
>
> --Dave
>
> -----Original Message-----
> From: argus-info-bounces+dedelman=iname.com at lists.andrew.cmu.edu
> [mailto:argus-info-bounces+dedelman=iname.com at lists.andrew.cmu.edu] On
> Behalf Of Matt Brown
> Sent: Friday, June 21, 2013 5:05 PM
> To: argus-info at lists.andrew.cmu.edu
> Subject: [ARGUS] Excluding the 'record' field when using with rasqlinsert
>
> Hello,
>
> I'd like to not have rasqlinsert add the record blob.  When I attempt
> to use '-record' I get a variety of interesting errors.
>
> This is with client 3.0.7.10 (with or without the latest patched
> version of argus_util.c).
>
> How do I exclude the 'record' field when using rasqlinsert?
>
>
> Thanks,
>
> Matt
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20130624/14b03506/attachment.html>

More information about the argus mailing list