Time specification bug with rasql

Jesse Bowling jessebowling at gmail.com
Mon Sep 9 14:34:18 EDT 2013 

On 09/09/2013 10:08 AM, Carter Bullard wrote:
> Hey Jesse,
> I normally do it this way:
>    ra -t -1y+1y
> 

Odd...This appears to not behave the same way on my RHEL system:

# rasql -M time 1d sql="saddr='8.8.8.8'" -r
mysql://argus@localhost/argusip/aip_%Y_%m_%d -t -1y+1y -D8
rasql[28531.c0572338887f0000]: 09/09/13 14:32:51.464630
ArgusInitAddrtoname (0x7f8838191010, 0x0, 0x0)
rasql[28531.c0572338887f0000]: 09/09/13 14:32:51.464719
ArgusParseInit(0x7f8838191010, NULL)
rasql[28531.c0572338887f0000]: 09/09/13 14:32:51.464863 ArgusCalloc (1,
480) returning 0x23bb060
rasql[28531.c0572338887f0000]: 09/09/13 14:32:51.464922 ArgusCalloc (1,
112) returning 0x23bb250
rasql[28531.c0572338887f0000]: 09/09/13 14:32:51.464933 ArgusCalloc (1,
72) returning 0x23bb2d0
rasql[28531.c0572338887f0000]: 09/09/13 14:32:51.464942 ArgusNewQueue ()
returning 0x23bb2d0
rasql[28531.c0572338887f0000]: 09/09/13 14:32:51.465079 ArgusCalloc (1,
56) returning 0x23bb320
rasql[28531.c0572338887f0000]: 09/09/13 14:32:51.465120 ArgusCalloc
(65536, 8) returning 0x37f02010
rasql[28531.c0572338887f0000]: 09/09/13 14:32:51.465132
ArgusNewHashTable (65536) returning 0x23bb320
rasql[28531.c0572338887f0000]: 09/09/13 14:32:51.465144 ArgusCalloc (1,
72) returning 0x23bb360
rasql[28531.c0572338887f0000]: 09/09/13 14:32:51.465153 ArgusNewQueue ()
returning 0x23bb360
rasql[28531.c0572338887f0000]: 09/09/13 14:32:51.465165 ArgusCalloc (1,
72) returning 0x23bb3b0
rasql[28531.c0572338887f0000]: 09/09/13 14:32:51.465303 ArgusNewQueue ()
returning 0x23bb3b0
rasql[28531.c0572338887f0000]: 09/09/13 14:32:51.465312 ArgusCalloc (1,
72) returning 0x23bb400
rasql[28531.c0572338887f0000]: 09/09/13 14:32:51.465321 ArgusNewQueue ()
returning 0x23bb400
rasql[28531.c0572338887f0000]: 09/09/13 14:32:51.465330 ArgusCalloc (1,
512) returning 0x23bb450
rasql[28531.c0572338887f0000]: 09/09/13 14:32:51.466450 ArgusCalloc (1,
1272) returning 0x23bb730
rasql[28531.c0572338887f0000]: 09/09/13 14:32:51.475982 RaMySQLInit ()
RaSource (null) RaArchive (null) RaFormat (null)
rasql[28531.c0572338887f0000]: 09/09/13 14:32:51.476025 ArgusCalloc (8,
65536) returning 0x3737f010
rasql[28531.c0572338887f0000]: 09/09/13 14:32:51.476715 ArgusFree
(0x2320610)
rasql[28531.c0572338887f0000]: 09/09/13 14:32:51.476734 ArgusFree
(0x23205b0)
rasql[28531.c0572338887f0000]: 09/09/13 14:32:51.476744 ArgusFree
(0x2320550)
rasql[28531.c0572338887f0000]: 09/09/13 14:32:51.476752 ArgusFree
(0x23204f0)
rasql[28531.c0572338887f0000]: 09/09/13 14:32:51.476760 ArgusFree
(0x2320490)
rasql[28531.c0572338887f0000]: 09/09/13 14:32:51.476768 ArgusFree
(0x2320430)
rasql[28531.c0572338887f0000]: 09/09/13 14:32:51.476788 ArgusFree
(0x23203d0)
rasql[28531.c0572338887f0000]: 09/09/13 14:32:51.476797 ArgusFree
(0x2320370)
rasql[28531.c0572338887f0000]: 09/09/13 14:32:51.476808 ArgusFree
(0x2320310)
rasql[28531.c0572338887f0000]: 09/09/13 14:32:51.476818 ArgusFree
(0x23202b0)
rasql[28531.c0572338887f0000]: 09/09/13 14:32:51.476826 ArgusFree
(0x2320250)
rasql[28531.c0572338887f0000]: 09/09/13 14:32:51.476834 ArgusFree
(0x23215b0)
rasql[28531.c0572338887f0000]: 09/09/13 14:32:51.476842 ArgusFree
(0x2321610)
rasql[28531.c0572338887f0000]: 09/09/13 14:32:51.476850 ArgusFree
(0x2321670)
rasql[28531.c0572338887f0000]: 09/09/13 14:32:51.476858 ArgusFree
(0x23216d0)
rasql[28531.c0572338887f0000]: 09/09/13 14:32:51.476891 ArgusCalloc (1,
461728) returning 0x3730e010
rasql[28531.c0572338887f0000]: 09/09/13 14:32:51.476932 SQL Query SELECT
record from aip_2012_12_31 WHERE saddr='8.8.8.8'
rasql[28531.c0572338887f0000]: 09/09/13 14:32:51.477032 ArgusShutDown (2)


> ra[65328.80316477ff7f0000]: 2013/09/09.10:07:22.467831 ArgusParseTime (0x105bef000, 0x105bef148, 0x105bef1b8, "-1y", ' ', 0.000000) retn year(1378735642)
> ra[65328.80316477ff7f0000]: 2013/09/09.10:07:22.467877 ArgusParseTime (0x105bef000, 0x105bef180, 0x105bef148, "1y", '+', 0.000000) retn year(1357012800)
> ra[65328.80316477ff7f0000]: 2013/09/09.10:07:22.467909 ArgusCheckTimeFormat (0x105bef1b8, -1y+1y) 1357012800.000000-1357016400.000000
> ra[65328.80316477ff7f0000]: 2013/09/09.10:07:22.467920 ArgusParseTimeArg (-1y+1y, 4, 0x105bef1b8)
> ra[65328.80316477ff7f0000]: 2013/09/09.10:07:22.467940 ArgusCalloc (1, 461752) returning 0x5d13000
> ra[65328.80316477ff7f0000]: 2013/09/09.10:07:22.467958 ArgusAddFileList (0x5bef000, -, 1, -1, -1) returning 1
> 
> 
> Yes, there does seem to be a bug.  When I type this, I get that:
> 
> ra -D8 -t 2013   
> ra[65313.80316477ff7f0000]: 2013/09/09.10:05:43.174941 ArgusParseTime (0x108c23000, 0x108c23148, 0x108c23180, "2013", ' ', 0.000000) retn year(2013)
> ra[65313.80316477ff7f0000]: 2013/09/09.10:05:43.174986 ArgusCheckTimeFormat (0x108c231b8, 2013) 2013.000000-31538013.000000
> ra[65313.80316477ff7f0000]: 2013/09/09.10:05:43.174999 ArgusParseTimeArg (2013, 4, 0x108c231b8)
> ra[65313.80316477ff7f0000]: 2013/09/09.10:05:43.175018 ArgusCalloc (1, 461752) returning 0x8d47000
> ra[65313.80316477ff7f0000]: 2013/09/09.10:05:43.175036 ArgusAddFileList (0x8c23000, -, 1, -1, -1) returning 1
> 
> So, let me fix that.
> 
> Carter
> 
> 
> 
> On Sep 8, 2013, at 10:10 PM, Jesse Bowling <jessebowling at gmail.com> wrote:
> 
>> Hi,
>>
>> I noticed that while using a table created with:
>>
>> rasqlinsert -m saddr -s "saddr stime ltime" -S localhost -w mysql://argus@localhost/argusip/aip_%Y_%m_%d -M time 1d drop rmon -d
>>
>> I can successfully query for a particular address on a particular day:
>>
>> # rasql -M time 1d sql="saddr='10.10.10.2'" -r mysql://argus@localhost/argusip/aip_%Y_%m_%d -t 2013/09/08
>>            SrcAddr                StartTime                 LastTime 
>>         10.10.10.2 09/08/13 22:03:35.896662 09/08/13 22:03:35.896662
>>
>> also for a particular month:
>>
>> # rasql -M time 1d sql="saddr='10.10.10.2'" -r mysql://argus@localhost/argusip/aip_%Y_%m_%d -t 2013/09
>>            SrcAddr                StartTime                 LastTime 
>>         10.10.10.2 09/08/13 22:03:35.896662 09/08/13 22:03:35.896662
>>
>> However, when I query for the year, I get no results:
>>
>> # rasql -M time 1d sql="saddr='10.10.10.2'" -r mysql://argus@localhost/argusip/aip_%Y_%m_%d -t 2013
>> #
>>
>> Running with debug mode, it appears that it's looking for my IP in 1970...
>>
>> rasql[28545.c0f750b02a7f0000]: 09/08/13 22:08:10.298650 SQL Query SELECT record from aip_1970_01_01 WHERE saddr='10.10.10.2'
>>
>> Seems like a bug...
>>
>> Cheers,
>>
>> Jesse
>>
>> -- 
>> Jesse Bowling
>>
>

More information about the argus mailing list