https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=16656
Bug ID: 16656
Summary: Add jsonnl output format (or remove the index entry
from existing ek format)
Product: Wireshark
Version: 3.2.3
Hardware: All
OS: All
Status: UNCONFIRMED
Severity: Enhancement
Priority: Low
Component: TShark
Assignee: bugzilla-ad...@wireshark.org
Reporter: santiago.cicili...@gmail.com
Target Milestone: ---
Build Information:
tshark -v
TShark (Wireshark) 3.2.3 (Git v3.2.3 packaged as 3.2.3-1)
Copyright 1998-2020 Gerald Combs <ger...@wireshark.org> and contributors.
License GPLv2+: GNU GPL version 2 or later
<https://www.gnu.org/licenses/gpl-2.0.html>
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
Compiled (64-bit) with libpcap, with POSIX capabilities (Linux), with libnl 3,
with GLib 2.64.2, with zlib 1.2.11, with SMI 0.4.8, with c-ares 1.15.0, with
Lua
5.2.4, with GnuTLS 3.6.13 and PKCS #11 support, with Gcrypt 1.8.5, with MIT
Kerberos, with MaxMind DB resolver, with nghttp2 1.40.0, with brotli, with LZ4,
with Zstandard, with Snappy, with libxml2 2.9.10.
Running on Linux 5.4.0-33-generic, with Intel(R) Xeon(R) CPU E5-2680 v3 @
2.50GHz (with SSE4.2), with 7961 MB of physical memory, with locale
en_US.UTF-8,
with libpcap version 1.9.1 (with TPACKET_V3), with GnuTLS 3.6.13, with Gcrypt
1.8.5, with brotli 1.0.7, with zlib 1.2.11, binary plugins supported (0
loaded).
Built using gcc 9.3.0.
--
The ek output format is great for loading and processing captures in BigData
environments.
Unfortunately as the ek is designed specifically for ElasticSearch there's a
row added with the index description before every record.
{"index":{"_index":"packets-2020-06-27","_type":"doc"}}
{"timestamp":"1593228122133","layers":{"frame_raw":"fa163e0aed1d4c9614901ff0080...
} {"index":{"_index":"packets-2020-06-27","_type":"doc"}}
{"timestamp":"1593228122133","layers":{"frame_raw":"4c9614901ff0fa163e0aed1d080...
}
I was wondering if it is possible to add a flag to remove this additional row
from the output.
>From the code it looks like the code printing that output is at line 364 on
epan/print.c
https://github.com/wireshark/wireshark/blob/986fec7f3ba9db9b60fe209fb5d41ba5d291cde5/epan/print.c#L364
--
You are receiving this mail because:
You are watching all bug changes.___________________________________________________________________________
Sent via: Wireshark-bugs mailing list <wireshark-bugs@wireshark.org>
Archives: https://www.wireshark.org/lists/wireshark-bugs
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-bugs
mailto:wireshark-bugs-requ...@wireshark.org?subject=unsubscribe
