Replies: 3 comments 8 replies
-
I'm wondering about efficiency tradeoffs, and in particular whether there's a way to support an initial phase that agrees on the expected positions, plus support for gaps, such that the common case of sending around a large number of agreed-upon records can proceed with no need to do per-record field lookups. |
Beta Was this translation helpful? Give feedback.
-
Yeah, performance indeed I think, maybe also ease of implementation. (Also, the other notable piece missing is typing, but that applies to Broker values generally.) |
Beta Was this translation helpful? Give feedback.
-
Okay ... I recently learned a few things about Broker. Might well be old news for most, but here's where I land as a result:
I don't really like the idea of tweaking the current Broker vectors to somehow better accommodate Zeek's records — Broker's data model should fit naturally. At least, I don't think we should do this next. My suggestion is to actually examine the impact of a switch to table-based records in Zeek. This doesn't strike me as that much work: it looks like a rewrite of a few components of I also don't think this is especially urgent given how much else is going on right now. The situation for Python / non-Zeek endpoints isn't great, and that alone was worth highlighting. But it's also not a showstopper. Thoughts welcome... |
Beta Was this translation helpful? Give feedback.
-
Recent discussions around backward-compatibility of changes to records flagged how particularly exposed users of Broker's Python bindings are to such changes. Mapping Zeek's records to Broker's data model expects records as a tuple of values, with each member in its own Broker-model rendering. The vector must cover the full list of fields, including
None
s for optional ones. As a result, any change to the record definition means you must adapt your Python implementation to reflect it. This is true for both the traditional wire format and the new WebSocket one.I am wondering whether we should extend Broker's data model to allow record types, with a serialization as a key/val store.
Does anyone recall the historical reasoning for stopping short of explicit record support in the model?
@J-Gras, @Chukudubem, @Neverlord, @rsmmr, fyi
Beta Was this translation helpful? Give feedback.
All reactions