Hi,
I am interested in creating a pie chart of % of protocols in network traffic
for a complete day which during a day keeps on updating with newer traffic
events. I think event streams keep on discarding the previous data as new
events arrive. Is it so? So as I have to need previous events along with
incoming data, I decided to use event tables which keep data for a longer time
but the thing is I need to join table with stream in order to make it of any
use and If I do so I will be only using events that are in stream currently
(not the one that are already stored and required for the chart).
/* Enter a unique ExecutionPlan */
@Plan:name('MAINExecutionPlan')
/* Enter a unique description for ExecutionPlan */
-- @Plan:description('ExecutionPlan')
/* define streams/tables and write queries here ... */
@Import('MAINInStream:1.0.0')
define stream MAINInStream (ts string, uid string, id_orig_h string, id_orig_p
int, id_resp_h string, id_resp_p int, proto string, service string, duration
double, orig_bytes long, resp_bytes long, conn_state string, local_orig bool,
local_resp bool, missed_bytes long, history string, orig_pkts long,
orig_ip_bytes long, resp_pkts long, resp_ip_bytes long, tunnel_parents string,
sensorname string);
@Export('ProtocolStream:1.0.0')
define stream ProtocolStream (protocol string, count int);
define table mem_conn_table (timestamp string, id_orig_h string, id_orig_p int,
id_resp_h string, id_resp_p int, proto string);
@info(data from stream to table in proper local date format )
from MAINInStream
select time:dateAdd(str:replaceAll(ts,'T',' '), 5, 'hour',"yyyy-MM-dd
HH:mm:ss") as timestamp, id_orig_h, id_orig_p, id_resp_h, id_resp_p, proto
insert into mem_conn_table;
@info(From that table which contains all previous and newer data, take those
records of current day and update column with protocol name)from
mem_conn_table[time:dateDiff(time:currentTimestamp(), timestamp, "yyyy-MM-dd
HH:mm:ss", "yyyy-MM-dd HH:mm:ss") == 0]
SELECT (ifThenElse(id_resp_p == 21,'FTP', ifThenElse(id_resp_p == 22,'SSH',
ifThenElse(id_resp_p == 25,'SMTP', ifThenElse(id_resp_p ==
445,'SMB','MYSQL'))))) as protocol , count() as count
insert into ProtocolStream;
Its not working obviously as there is no join but how to make it work with the
goal I mentioned? Regards,
Aneela Safdar_______________________________________________
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev
