Support type 152 field (fieldflowStartMilliseconds) and type 153 field(flowEndMilliseconds) #24
Conversation
flowStartSeconds flowEndSeconds flowStartMilliseconds flowEndMilliseconds flowStartMicroseconds flowEndMicroseconds flowStartNanoseconds flowEndNanoseconds Signed-off-by: Takashi Umeno <umeno.takashi@gmail.com>
Signed-off-by: Takashi Umeno <umeno.takashi@gmail.com>
format_for_flowSeconds(time) format_for_flowMilliSeconds(time) format_for_flowMicroSeconds(time) format_for_flowNanoSeconds(time) Signed-off-by: Takashi Umeno <umeno.takashi@gmail.com>
Signed-off-by: Takashi Umeno <umeno.takashi@gmail.com>
Signed-off-by: Takashi Umeno <umeno.takashi@gmail.com>
Signed-off-by: Takashi Umeno <umeno.takashi@gmail.com>
lib/fluent/plugin/parser_netflow.rb
Outdated
| event['last_switched'] = format_for_switched(msec_from_boot_to_time(event['last_switched'], pdu.uptime, time, 0)) if event['last_switched'] | ||
| r.each_pair do |k, v| | ||
| case k.to_s | ||
| when /^(?:first|last)_switched$/ |
There was a problem hiding this comment.
Could you check the performance to compare string and regexp?
- string
case k
when 'first_switched'.freeze
when 'last_switched'.freeze
when 'flowStartSeconds'freeze
# ...
end- regexp
case k
when /^(?:first|last)_switched$/
when /^flow(?:Start|End)Seconds$/
# ...
endThere was a problem hiding this comment.
NetFlow-Generator genarates only NetFlow V5 packets.
https://github.com/mshindo/NetFlow-Generator
Please tell me how can I genarates NetFlow V9 test packets.
Otherwise I will make test program to check the performance to compare string and regexp.
|
$ ./benchmark3b.rb #!/usr/bin/ruby
require 'benchmark'
print Benchmark.measure{ 1000000.times {
k = 'flowEndNanoseconds'
case k
when 'first_switched'.freeze then
when 'last_switched'.freeze then
when 'flowStartSeconds'.freeze then
when 'flowEndSeconds'.freeze then
when 'flowStartMilliseconds'.freeze then
when 'flowEndMilliseconds'.freeze then
when 'flowStartMicroseconds'.freeze then
when 'flowEndMicroseconds'.freeze then
when 'flowStartNanoseconds'.freeze then
when 'flowEndNanoseconds'.freeze then
else
end
}
} |
|
$ ./benchmark4b.rb #!/usr/bin/ruby
require 'benchmark'
print Benchmark.measure{ 1000000.times {
k = 'flowEndNanoseconds'
case k
when /^(?:first|last)_switched$/ then
when /^flow(?:Start|End)Seconds$/ then
when /^flow(?:Start|End)(Milli|Micro|Nano)seconds$/ then
else
end
}
} |
|
So, I will rewrite with string. |
Signed-off-by: Takashi Umeno <umeno.takashi@gmail.com>
lib/fluent/plugin/parser_netflow.rb
Outdated
| event['first_switched'] = format_for_switched(msec_from_boot_to_time(event['first_switched'], pdu.uptime, time, 0)) if event['first_switched'] | ||
| event['last_switched'] = format_for_switched(msec_from_boot_to_time(event['last_switched'], pdu.uptime, time, 0)) if event['last_switched'] | ||
| r.each_pair do |k, v| | ||
| case k.to_s |
There was a problem hiding this comment.
I'm not sure why original implementation calls to_s, but key is string so no need to_s call here.
There was a problem hiding this comment.
I'm not sure why original implementation calls to_s, but key is string so no need to_s call here.
No!
case k.to_s is needed.
If you change case k,
'flowStartSeconds' doesn't match 'flowStartSeconds'.freeze.
Please check in your environment.
There was a problem hiding this comment.
Hmm... it means 'k' is not string type?
There was a problem hiding this comment.
'k' is Symbol type, so case k.to_s is needed.
r.each_pair do |k, v|
$log.warn "k.class: ", k.class
$log.warn "k.to_s.class: ", k.to_s.class
$log.warn "'first_switched'.freeze.class: ", 'first_switched'.freeze.class
case k.to_s
2016-09-06 22:02:03 +0900 [warn]: k.class: Symbol
2016-09-06 22:02:03 +0900 [warn]: k.to_s.class: String
2016-09-06 22:02:03 +0900 [warn]: 'first_switched'.freeze.class: String
There was a problem hiding this comment.
Sorry for the late.
I understood the situation.
Better way is key = k.to_s before case and refer it in case and [].
It reduces the number of to_s call.
There was a problem hiding this comment.
Thank you.
I rewrote along your advice.
|
master change: from k.to_s to key. I think this failure is not caused by this change. |
|
Are there any problems in this patch to merge ? |
|
Why you revert |
|
Another idea is using symbol for case and use |
case k
when :first_switched
event[k.to_s] = ...
# ... other fields
endMaybe, this is more faster than string |
|
Thank you for you advice. I rewrite along this idea. |
|
Thanks for the update. |
|
LGTM. Could you add a test? |
|
Sorry, I can't add test codes immediately. |
|
I'm reading this URL. |
|
I add some test codes. |
|
Thanks! |
|
Thank you! |
pmacct-1.5.2 uses template type 152 field (flowStartMilliseconds) and type 153 field(flowEndMilliseconds) instead of type 22 field (first_switched) and type 21 field (last_switched).
This patch supports:
150:flowStartSeconds
151:flowEndSeconds
152:flowStartMilliseconds
153:flowEndMilliseconds
154:flowStartMicroseconds
155:flowEndMicroseconds
156:flowStartNanoseconds
157:flowEndNanoseconds
This patch is based on:
https://github.com/logstash-plugins/logstash-codec-netflow/blob/master/lib/logstash/codecs/netflow/ipfix.yaml
https://github.com/logstash-plugins/logstash-codec-netflow/blob/master/lib/logstash/codecs/netflow.rb