Class: Mu::Xtractr::Flows
- Inherits:
-
Object
- Object
- Mu::Xtractr::Flows
- Includes:
- Enumerable
- Defined in:
- lib/mu/xtractr/flows.rb,
lib/mu/xtractr/test/tc_flows.rb
Overview
over all the flows in the index.
Defined Under Namespace
Classes: Test
Constant Summary collapse
- MAX_PAGE_SIZE =
:nodoc:
100
Instance Attribute Summary collapse
-
#xtractr ⇒ Object
readonly
:nodoc:.
Instance Method Summary collapse
-
#count(field) ⇒ Object
Count the unique values of the specified field amongst all the flows that matched the query.
-
#each_flow ⇒ Object
(also: #each)
Iterate over each flow that matches the search criteria.
-
#first ⇒ Object
Fetch the first flow that matched the query.
-
#initialize(xtractr, opts) ⇒ Flows
constructor
:nodoc:.
-
#inspect ⇒ Object
:nodoc:.
-
#q ⇒ Object
:nodoc:.
-
#save(filename) ⇒ Object
Save all the packets for this collection of flows into a pcap.
-
#sum(kfield, vfield) ⇒ Object
Sum the numeric values of vfield, keyed by the unique values of kfield.
-
#values(field) ⇒ Object
Return a list of Field::Value objects for the specified field, sorted by their frequency.
Constructor Details
#initialize(xtractr, opts) ⇒ Flows
:nodoc:
27 28 29 30 31 |
# File 'lib/mu/xtractr/flows.rb', line 27 def initialize xtractr, opts # :nodoc: @xtractr = xtractr @opts = opts.dup @opts[:q] ||= '*' end |
Instance Attribute Details
#xtractr ⇒ Object (readonly)
:nodoc:
23 24 25 |
# File 'lib/mu/xtractr/flows.rb', line 23 def xtractr @xtractr end |
Instance Method Details
#count(field) ⇒ Object
Count the unique values of the specified field amongst all the flows that matched the query.
xtractr.flows('index.html').count('http.request.uri')
74 75 76 |
# File 'lib/mu/xtractr/flows.rb', line 74 def count field Views.count xtractr, field, '/api/flows/report', @opts end |
#each_flow ⇒ Object Also known as: each
Iterate over each flow that matches the search criteria. It’s always better to use this with a fine-grained query instead of flows.to_a because it’s going to try and load all flows from the index.
xtractr.flows("flow.src:192.168.1.1").each { |flow| ... }
41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 |
# File 'lib/mu/xtractr/flows.rb', line 41 def each_flow() # :yields: flow _opts = @opts.dup _opts[:start] ||= 1 _opts[:limit] ||= MAX_PAGE_SIZE while true result = xtractr.json "api/flows", _opts rows = result['rows'] break if rows.empty? rows[0, MAX_PAGE_SIZE-1].each do |row| flow = Flow.new xtractr, row yield flow end break if rows.size < MAX_PAGE_SIZE _opts[:start] = rows[MAX_PAGE_SIZE-1]['id'] end return self end |
#first ⇒ Object
Fetch the first flow that matched the query. This is mainly used for unit testing, but useful within IRB to experiment with method chaining.
flows.first.save("1.pcap")
65 66 67 68 69 |
# File 'lib/mu/xtractr/flows.rb', line 65 def first result = xtractr.json "api/flows", :start => 1, :limit => 1, :q => q rows = result['rows'] rows.empty? ? nil : Flow.new(xtractr, rows[0]) end |
#inspect ⇒ Object
:nodoc:
111 112 113 |
# File 'lib/mu/xtractr/flows.rb', line 111 def inspect # :nodoc: "#<flows:#{@opts[:q]}>" end |
#q ⇒ Object
:nodoc:
33 34 35 |
# File 'lib/mu/xtractr/flows.rb', line 33 def q # :nodoc: @opts[:q] end |
#save(filename) ⇒ Object
Save all the packets for this collection of flows into a pcap. It’s possible that the packets for the flows might span multiple indexed pcaps.
xtractr.flows('flow.service:DNS AAAA').save('dns.pcap')
96 97 98 99 100 101 102 103 104 105 106 107 108 109 |
# File 'lib/mu/xtractr/flows.rb', line 96 def save filename flow_ids = [] each_flow do |flow| flow_ids << flow.id.to_s break if flow_ids.size >= 1024 end _q = "pkt.flow:(" << flow_ids.join('||') << ')' open(filename, "w") do |ios| pcap = xtractr.get "api/packets/slice", :q => _q ios.write pcap end return self end |
#sum(kfield, vfield) ⇒ Object
Sum the numeric values of vfield, keyed by the unique values of kfield.
xtractr.flows('index.html').sum('http.request.uri', 'flow.bytes')
88 89 90 |
# File 'lib/mu/xtractr/flows.rb', line 88 def sum kfield, vfield Views.sum xtractr, kfield, vfield, '/api/flows/report', @opts end |
#values(field) ⇒ Object
Return a list of Field::Value objects for the specified field, sorted by their frequency. This is a convenience method used in method chaining.
xtractr.flows('index.html').values('http.request.uri')
81 82 83 |
# File 'lib/mu/xtractr/flows.rb', line 81 def values field count(field).map { |c| c.object } end |