Class: Mu::Xtractr::Field
- Inherits:
-
Object
- Object
- Mu::Xtractr::Field
- Includes:
- Enumerable
- Defined in:
- lib/mu/xtractr/field.rb,
lib/mu/xtractr/test/tc_field.rb
Overview
end
Defined Under Namespace
Instance Attribute Summary collapse
-
#name ⇒ Object
readonly
The name of the field.
-
#xtractr ⇒ Object
readonly
:nodoc:.
Instance Method Summary collapse
-
#[](which) ⇒ Object
(also: #term)
Find the term for this field which has the name and the packet frequency.
-
#count(q = '*') ⇒ Object
Find out all the unique values of this field with an optional query.
-
#each_term(start = '') ⇒ Object
(also: #each)
Fetch the terms and their packet frequencies (in packets) for this field.
-
#initialize(xtractr, name) ⇒ Field
constructor
:nodoc:.
-
#inspect ⇒ Object
:nodoc:.
-
#terms(regex = nil) ⇒ Object
Fetch the list of all the unique terms for this field, sorted by the frequency of occurence in the packets.
-
#values(q = '*') ⇒ Object
Return a list of Field::Value objects for this field, sorted by their frequency.
Constructor Details
#initialize(xtractr, name) ⇒ Field
:nodoc:
101 102 103 104 |
# File 'lib/mu/xtractr/field.rb', line 101 def initialize xtractr, name # :nodoc: @xtractr = xtractr @name = name end |
Instance Attribute Details
#name ⇒ Object (readonly)
The name of the field.
38 39 40 |
# File 'lib/mu/xtractr/field.rb', line 38 def name @name end |
#xtractr ⇒ Object (readonly)
:nodoc:
35 36 37 |
# File 'lib/mu/xtractr/field.rb', line 35 def xtractr @xtractr end |
Instance Method Details
#[](which) ⇒ Object Also known as: term
Find the term for this field which has the name and the packet frequency.
field.term 'mozilla'
147 148 149 150 151 152 153 154 |
# File 'lib/mu/xtractr/field.rb', line 147 def [] which result = xtractr.json "api/field/#{name}/terms", :start => which, :limit => 1 rows = result['rows'] if rows.empty? || rows[0]['key'] != which raise ArgumentError, "Unknown term #{which} for field #{name}" end return Term.new(self, rows[0]) end |
#count(q = '*') ⇒ Object
Find out all the unique values of this field with an optional query.
xtractr.field('http.user.agent').count('flow.src:192.168.1.1')
158 159 160 |
# File 'lib/mu/xtractr/field.rb', line 158 def count q='*' Views.count xtractr, self, "api/flows/report", :q => q end |
#each_term(start = '') ⇒ Object Also known as: each
Fetch the terms and their packet frequencies (in packets) for this field. If the optional start term is given, then the term enumeration starts from the specified term.
field.each { |term| ... }
field.each('mozilla') { |term| ... }
111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 |
# File 'lib/mu/xtractr/field.rb', line 111 def each_term(start='') # :yields: term opts = {} opts[:start] = start opts[:limit] = 101 while true result = xtractr.json "api/field/#{name}/terms", opts rows = result['rows'] break if rows.empty? rows[0, 100].each do |row| term = Term.new self, row yield term end break if rows.size < 101 opts[:start] = rows[100]['key'] end return self end |
#inspect ⇒ Object
:nodoc:
170 171 172 |
# File 'lib/mu/xtractr/field.rb', line 170 def inspect # :nodoc: "#<field:#{name}>" end |
#terms(regex = nil) ⇒ Object
Fetch the list of all the unique terms for this field, sorted by the frequency of occurence in the packets. This can be used for some quick trend analysis to see which term of a given field appears most amongst all packets in the index. Here’s an example to print out the top 10 terms of http.request.uri.
p xtractr.field('http.request.uri').terms[0..10]
139 140 141 142 143 |
# File 'lib/mu/xtractr/field.rb', line 139 def terms regex=nil regex = Regexp.new(regex, Regexp::IGNORECASE) if regex.is_a? String t = regex ? entries.select { |name| name =~ regex } : entries t.sort { |a, b| b.frequency <=> a.frequency } end |
#values(q = '*') ⇒ Object
Return a list of Field::Value objects for this field, sorted by their frequency. This is a convenience method to use the resulting Field::Value objects in method chaining.
xtractr.field('http.user.agent').values.first.packets.slice('foo.pcap')
166 167 168 |
# File 'lib/mu/xtractr/field.rb', line 166 def values q='*' count(q).map { |c| c.object } end |