I might have been overthinking this, it seems that no explicit tag/filter is needed as long as I aggregate on different fields (see below).
It makes sense that nfacctd will not aggregate on primitives that do not exist (duh), and it provides the kind of filtering that I was looking for, but is it the proper method to filter or does it just "happen to work" this way? pre_tag_filter[options_nbar]: 200 aggregate[options_nbar]: peer_src_ip, nbar_id, nbar_name, nbar_desc sql_table[options_nbar]: pmacct_options_nbar !(...) pre_tag_filter[options_iface]: 200 aggregate[options_iface]: peer_src_ip, in_iface, iface_short, iface_long sql_table[options_iface]: pmacct_options_iface !(...) Cheers, Yann On Wed, Dec 21, 2016 at 4:54 PM Yann Belin <y.belin...@gmail.com> wrote: > Hello, > > After following the examples in pmacct documentation, I was able to > assign different tags to flow and option records (respectively 100 and > 200) , but I cannot figure out how to assign different tags to > different "types" of option records in order to store their data in > different SQL tables. > > For instance, I receive the option records below. What I would like to > do is to assign tag #200 to "application" records and tag #201 to > "interface" records but I cannot figure out a way to do it. > > I cannot use the template/flowset ID because it bound to change > occasionally... I thought about checking the presence of a field > instead (e.g. 10 v.s. 95) but there is nothing in the pretag_map > documentation about this. Any ideas? > > > DEBUG ( default/core ): NfV10 agent : 172.16.2.1:6 > DEBUG ( default/core ): NfV10 template type : options > DEBUG ( default/core ): NfV10 template ID : 256 > DEBUG ( default/core ): ------------------------------------------------ > DEBUG ( default/core ): | field type | offset | size | > DEBUG ( default/core ): | 10 [10 ] | 0 | 4 > | Interface input snmp > DEBUG ( default/core ): | 82 [82 ] | 4 | 32 > | Interface name short > DEBUG ( default/core ): | 83 [83 ] | 36 | 64 > | Interface name long > DEBUG ( default/core ): ------------------------------------------------ > DEBUG ( default/core ): Netflow V9/IPFIX record size : 100 > > > DEBUG ( default/core ): NfV10 agent : 172.16.2.1:6 > DEBUG ( default/core ): NfV10 template type : options > DEBUG ( default/core ): NfV10 template ID : 257 > DEBUG ( default/core ): ------------------------------------------------ > DEBUG ( default/core ): | field type | offset | size | > DEBUG ( default/core ): | app id [95 ] | 0 | 4 > | Application ID > DEBUG ( default/core ): | app name [96 ] | 4 | 24 > | Application name > DEBUG ( default/core ): | app desc [94 ] | 28 | 55 > | Application description > DEBUG ( default/core ): ------------------------------------------------ > DEBUG ( default/core ): Netflow V9/IPFIX record size : 83 > > > Thanks in advance, > > Yann >
_______________________________________________ pmacct-discussion mailing list http://www.pmacct.net/#mailinglists
