> On May 14, 2018, at 10:12 AM, Jon Siwek <jsi...@corelight.com> wrote: > > A short-lived cache, separate from the data store, still has problems like > the above: there can be times where the local cache contains the key and the > master store does not and so you may miss some (re)insertions.
I see what you mean.. I can almost see a solution involving using create_expire and expire_func to trigger a re-submit when the local cache expires, but that may cause the opposite problem. This would mean that a record would be sent the first time it was seen and then at most once again N minutes after that. If N minutes after that is 00:03 the entry would be logged on the following day even if it was not seen yet. I suppose if the value in the cache table was the network_time of the last time seen that could used to fill in the HostInfo record. — Justin Azoff _______________________________________________ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
