Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

attribute may not be variable #260

Open
subbyte opened this issue Oct 26, 2022 · 1 comment
Open

attribute may not be variable #260

subbyte opened this issue Oct 26, 2022 · 1 comment
Assignees
@subbyte
Labels
bug Something isn't working documentation Improvements or additions to documentation
Milestone
Parser upgrade

Comments

@subbyte
Copy link
Member

subbyte commented Oct 26, 2022
edited

Describe the bug

procs = GET process
        FROM file:///tmp/lab101.json
        WHERE parent_ref.name = 'svchost.exe'
        START 2021-04-03T00:00:00Z STOP 2021-04-03T02:00:00Z
        
procs_grps = GROUP procs BY binary_ref.name WITH COUNT(pid) AS number_of_procs

APPLY python://attribute-plot ON procs_grps WITH XPARAM=binary_ref.name, YPARAM=number_of_procs

error:

[ERROR] KestrelSyntaxError: invalid token "'binary_ref.name'" at line 6 column 29, expects one of ['BIN', 'ATTRIBUTE']
rewrite the failed statement.

Kestrel version: v1.5.1
@subbyte subbyte added the bug Something isn't working label Oct 26, 2022
@subbyte subbyte self-assigned this Oct 26, 2022
@subbyte
Copy link
Member Author

subbyte commented Oct 26, 2022

need to document it that to use 'binary_ref.name' to tell Kestrel treat it as a string.

This works:

procs = GET process
        FROM file:///tmp/lab101.json
        WHERE parent_ref.name = 'svchost.exe'
        START 2021-04-03T00:00:00Z STOP 2021-04-03T02:00:00Z
        
procs_grps = GROUP procs BY binary_ref.name WITH COUNT(pid) AS number_of_procs

# need to single quote binary_ref.name so Kestrel will not treat binary_ref as a variable
APPLY python://attribute-plot ON procs_grps WITH XPARAM='binary_ref.name', YPARAM=number_of_procs

@subbyte subbyte added the documentation Improvements or additions to documentation label Oct 26, 2022
@subbyte subbyte added this to the Parser upgrade milestone Oct 26, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@subbyte subbyte

Labels
bug Something isn't working documentation Improvements or additions to documentation
Projects
None yet
Milestone
Parser upgrade
Development

No branches or pull requests
1 participant
@subbyte