Re: [Nfdump-discuss] Select all sources for a given profile in query

[Mark D. N. <mn...@wi...>]

On 12/22/2013 5:43 AM, Rick Hofstede wrote:
> I'm looking for a simple way to select all sources in a given profile for a certain
> query. So instead of specifying the sources manually as in [1], I'm looking for
> something that works like [2].
>
> [1] nfdump -M /data/nfsen/profiles-data/SSH/source1:source2/ -r nfcapd.201312151000
>
> [2] nfdump -M /data/nfsen/profiles-data/SSH/*/ -r nfcapd.201312151000
>
> So without knowing all sources for a profile beforehand, I want to select all of them.
> Does someone of you know how to do this?
>

I have a Perl script that runs similar queries, but I had to enumerate the sources from
the hash keys:

# load NfSen configuration information into distinct namespace
my $basedir = "/usr/local/nfsen";
{
    package NfSen;
    do "$basedir/etc/nfsen.conf"
        or die "$main::Script: $basedir/etc/nfsen.conf: $!\n";
}

### skip some stuff, then:

@sources = ("ALL") unless @sources;
@sources = map { $_ eq "ALL" ? keys(%NfSen::sources) : split(/\s*,\s*/,$_) } @sources;

There is a Perl module for NfDump (Net::NfDump) that was recently discussed, and it
probably simplifies the task further.

Regards,
Mark

-- 
Mark D. Nagel, CCIE #3177 <mn...@wi...>
Principal Consultant, Willing Minds LLC (http://www.willingminds.com)
cell: 949-279-5817, desk: 714-495-4001, fax: 714-646-8277

** For faster support response time, please
** email su...@wi... or call 714-495-4000