Ingest Zeek Logs into Brim

[jameskerr]

When given a array of files and their associated types, we need to validate that the array contains:

• One pcap
• One zeek log
• Multiple zeek logs

Any other combination will throw an error explaining what we expect.

If it passes validation, return the default dataDir and spaceName params.

If one file:
spaceName: same name as that file
dataDir: same directory as that file/spacename.brim

If more than one file:
spaceName:
if all logs in same dir, the name of that dir
else a randomly generated name
dataDir: $HOME/.brim/spaceName.brim

[philrz]

Verified in Brim commit 314f149 talking to zqd tagged v0.11.1. Per the attached video, now I can open a directory full of Zeek TSV logs in Brim, as opposed to having to start with just a pcap.

Verify.mp4.zip

This was done using the zq-sample-data. The count() shown in the video matches that seen with zq at the CLI.

~/work/zq-sample-data/zeek-default$ zq -f table "count()" *
COUNT
1462078

Some additional notes:

1. I had to uncompress the log files before Brim would accept them. Whether Brim can accept GZIP'ed input files the way zq can is TBD.
2. As described in the PR, the UX work to expose Zeek-centric icons & wording is still on the way.
3. Also as described in the PR, ingest of typed Zeek NDJSON is not working yet.