Time specification bug with rasql

Carter Bullard carter at qosient.com
Mon Sep 9 16:54:30 EDT 2013 

Hey Jesse,
Remember to put the -D8 before the time filter expression, so 
debugging is on when the time filter logic kicks in.
Try this to see what happens (less debug output)

   ra -D8 -t -1y+1y

Carter

On Sep 9, 2013, at 2:34 PM, Jesse Bowling <jessebowling at gmail.com> wrote:

> On 09/09/2013 10:08 AM, Carter Bullard wrote:
>> Hey Jesse,
>> I normally do it this way:
>>   ra -t -1y+1y
>> 
> 
> Odd...This appears to not behave the same way on my RHEL system:
> 
> # rasql -M time 1d sql="saddr='8.8.8.8'" -r
> mysql://argus@localhost/argusip/aip_%Y_%m_%d -t -1y+1y -D8
> rasql[28531.c0572338887f0000]: 09/09/13 14:32:51.464630
> ArgusInitAddrtoname (0x7f8838191010, 0x0, 0x0)
> rasql[28531.c0572338887f0000]: 09/09/13 14:32:51.464719
> ArgusParseInit(0x7f8838191010, NULL)
> rasql[28531.c0572338887f0000]: 09/09/13 14:32:51.464863 ArgusCalloc (1,
> 480) returning 0x23bb060
> rasql[28531.c0572338887f0000]: 09/09/13 14:32:51.464922 ArgusCalloc (1,
> 112) returning 0x23bb250
> rasql[28531.c0572338887f0000]: 09/09/13 14:32:51.464933 ArgusCalloc (1,
> 72) returning 0x23bb2d0
> rasql[28531.c0572338887f0000]: 09/09/13 14:32:51.464942 ArgusNewQueue ()
> returning 0x23bb2d0
> rasql[28531.c0572338887f0000]: 09/09/13 14:32:51.465079 ArgusCalloc (1,
> 56) returning 0x23bb320
> rasql[28531.c0572338887f0000]: 09/09/13 14:32:51.465120 ArgusCalloc
> (65536, 8) returning 0x37f02010
> rasql[28531.c0572338887f0000]: 09/09/13 14:32:51.465132
> ArgusNewHashTable (65536) returning 0x23bb320
> rasql[28531.c0572338887f0000]: 09/09/13 14:32:51.465144 ArgusCalloc (1,
> 72) returning 0x23bb360
> rasql[28531.c0572338887f0000]: 09/09/13 14:32:51.465153 ArgusNewQueue ()
> returning 0x23bb360
> rasql[28531.c0572338887f0000]: 09/09/13 14:32:51.465165 ArgusCalloc (1,
> 72) returning 0x23bb3b0
> rasql[28531.c0572338887f0000]: 09/09/13 14:32:51.465303 ArgusNewQueue ()
> returning 0x23bb3b0
> rasql[28531.c0572338887f0000]: 09/09/13 14:32:51.465312 ArgusCalloc (1,
> 72) returning 0x23bb400
> rasql[28531.c0572338887f0000]: 09/09/13 14:32:51.465321 ArgusNewQueue ()
> returning 0x23bb400
> rasql[28531.c0572338887f0000]: 09/09/13 14:32:51.465330 ArgusCalloc (1,
> 512) returning 0x23bb450
> rasql[28531.c0572338887f0000]: 09/09/13 14:32:51.466450 ArgusCalloc (1,
> 1272) returning 0x23bb730
> rasql[28531.c0572338887f0000]: 09/09/13 14:32:51.475982 RaMySQLInit ()
> RaSource (null) RaArchive (null) RaFormat (null)
> rasql[28531.c0572338887f0000]: 09/09/13 14:32:51.476025 ArgusCalloc (8,
> 65536) returning 0x3737f010
> rasql[28531.c0572338887f0000]: 09/09/13 14:32:51.476715 ArgusFree
> (0x2320610)
> rasql[28531.c0572338887f0000]: 09/09/13 14:32:51.476734 ArgusFree
> (0x23205b0)
> rasql[28531.c0572338887f0000]: 09/09/13 14:32:51.476744 ArgusFree
> (0x2320550)
> rasql[28531.c0572338887f0000]: 09/09/13 14:32:51.476752 ArgusFree
> (0x23204f0)
> rasql[28531.c0572338887f0000]: 09/09/13 14:32:51.476760 ArgusFree
> (0x2320490)
> rasql[28531.c0572338887f0000]: 09/09/13 14:32:51.476768 ArgusFree
> (0x2320430)
> rasql[28531.c0572338887f0000]: 09/09/13 14:32:51.476788 ArgusFree
> (0x23203d0)
> rasql[28531.c0572338887f0000]: 09/09/13 14:32:51.476797 ArgusFree
> (0x2320370)
> rasql[28531.c0572338887f0000]: 09/09/13 14:32:51.476808 ArgusFree
> (0x2320310)
> rasql[28531.c0572338887f0000]: 09/09/13 14:32:51.476818 ArgusFree
> (0x23202b0)
> rasql[28531.c0572338887f0000]: 09/09/13 14:32:51.476826 ArgusFree
> (0x2320250)
> rasql[28531.c0572338887f0000]: 09/09/13 14:32:51.476834 ArgusFree
> (0x23215b0)
> rasql[28531.c0572338887f0000]: 09/09/13 14:32:51.476842 ArgusFree
> (0x2321610)
> rasql[28531.c0572338887f0000]: 09/09/13 14:32:51.476850 ArgusFree
> (0x2321670)
> rasql[28531.c0572338887f0000]: 09/09/13 14:32:51.476858 ArgusFree
> (0x23216d0)
> rasql[28531.c0572338887f0000]: 09/09/13 14:32:51.476891 ArgusCalloc (1,
> 461728) returning 0x3730e010
> rasql[28531.c0572338887f0000]: 09/09/13 14:32:51.476932 SQL Query SELECT
> record from aip_2012_12_31 WHERE saddr='8.8.8.8'
> rasql[28531.c0572338887f0000]: 09/09/13 14:32:51.477032 ArgusShutDown (2)
> 
> 
>> ra[65328.80316477ff7f0000]: 2013/09/09.10:07:22.467831 ArgusParseTime (0x105bef000, 0x105bef148, 0x105bef1b8, "-1y", ' ', 0.000000) retn year(1378735642)
>> ra[65328.80316477ff7f0000]: 2013/09/09.10:07:22.467877 ArgusParseTime (0x105bef000, 0x105bef180, 0x105bef148, "1y", '+', 0.000000) retn year(1357012800)
>> ra[65328.80316477ff7f0000]: 2013/09/09.10:07:22.467909 ArgusCheckTimeFormat (0x105bef1b8, -1y+1y) 1357012800.000000-1357016400.000000
>> ra[65328.80316477ff7f0000]: 2013/09/09.10:07:22.467920 ArgusParseTimeArg (-1y+1y, 4, 0x105bef1b8)
>> ra[65328.80316477ff7f0000]: 2013/09/09.10:07:22.467940 ArgusCalloc (1, 461752) returning 0x5d13000
>> ra[65328.80316477ff7f0000]: 2013/09/09.10:07:22.467958 ArgusAddFileList (0x5bef000, -, 1, -1, -1) returning 1
>> 
>> 
>> Yes, there does seem to be a bug.  When I type this, I get that:
>> 
>> ra -D8 -t 2013   
>> ra[65313.80316477ff7f0000]: 2013/09/09.10:05:43.174941 ArgusParseTime (0x108c23000, 0x108c23148, 0x108c23180, "2013", ' ', 0.000000) retn year(2013)
>> ra[65313.80316477ff7f0000]: 2013/09/09.10:05:43.174986 ArgusCheckTimeFormat (0x108c231b8, 2013) 2013.000000-31538013.000000
>> ra[65313.80316477ff7f0000]: 2013/09/09.10:05:43.174999 ArgusParseTimeArg (2013, 4, 0x108c231b8)
>> ra[65313.80316477ff7f0000]: 2013/09/09.10:05:43.175018 ArgusCalloc (1, 461752) returning 0x8d47000
>> ra[65313.80316477ff7f0000]: 2013/09/09.10:05:43.175036 ArgusAddFileList (0x8c23000, -, 1, -1, -1) returning 1
>> 
>> So, let me fix that.
>> 
>> Carter
>> 
>> 
>> 
>> On Sep 8, 2013, at 10:10 PM, Jesse Bowling <jessebowling at gmail.com> wrote:
>> 
>>> Hi,
>>> 
>>> I noticed that while using a table created with:
>>> 
>>> rasqlinsert -m saddr -s "saddr stime ltime" -S localhost -w mysql://argus@localhost/argusip/aip_%Y_%m_%d -M time 1d drop rmon -d
>>> 
>>> I can successfully query for a particular address on a particular day:
>>> 
>>> # rasql -M time 1d sql="saddr='10.10.10.2'" -r mysql://argus@localhost/argusip/aip_%Y_%m_%d -t 2013/09/08
>>>           SrcAddr                StartTime                 LastTime 
>>>        10.10.10.2 09/08/13 22:03:35.896662 09/08/13 22:03:35.896662
>>> 
>>> also for a particular month:
>>> 
>>> # rasql -M time 1d sql="saddr='10.10.10.2'" -r mysql://argus@localhost/argusip/aip_%Y_%m_%d -t 2013/09
>>>           SrcAddr                StartTime                 LastTime 
>>>        10.10.10.2 09/08/13 22:03:35.896662 09/08/13 22:03:35.896662
>>> 
>>> However, when I query for the year, I get no results:
>>> 
>>> # rasql -M time 1d sql="saddr='10.10.10.2'" -r mysql://argus@localhost/argusip/aip_%Y_%m_%d -t 2013
>>> #
>>> 
>>> Running with debug mode, it appears that it's looking for my IP in 1970...
>>> 
>>> rasql[28545.c0f750b02a7f0000]: 09/08/13 22:08:10.298650 SQL Query SELECT record from aip_1970_01_01 WHERE saddr='10.10.10.2'
>>> 
>>> Seems like a bug...
>>> 
>>> Cheers,
>>> 
>>> Jesse
>>> 
>>> -- 
>>> Jesse Bowling
>>> 
>> 
> 
> 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6837 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20130909/259230bc/attachment.bin>

More information about the argus mailing list