Class: Mu::Xtractr::Field

Inherits:
Object
  • Object
show all
Includes:
Enumerable
Defined in:
lib/mu/xtractr/field.rb,
lib/mu/xtractr/test/tc_field.rb

Overview

end

Defined Under Namespace

Classes: Test, Value

Instance Attribute Summary collapse

Instance Method Summary collapse

Constructor Details

#initialize(xtractr, name) ⇒ Field

:nodoc:



101
102
103
104
 
# File 'lib/mu/xtractr/field.rb', line 101

def initialize xtractr, name # :nodoc:
    @xtractr = xtractr
    @name = name
end

Instance Attribute Details

#nameObject (readonly)

The name of the field.



38
39
40
 
# File 'lib/mu/xtractr/field.rb', line 38

def name
  @name
end

#xtractrObject (readonly)

:nodoc:



35
36
37
 
# File 'lib/mu/xtractr/field.rb', line 35

def xtractr
  @xtractr
end

Instance Method Details

#[](which) ⇒ Object Also known as: term

Find the term for this field which has the name and the packet frequency.

field.term 'mozilla'



147
148
149
150
151
152
153
154
 
# File 'lib/mu/xtractr/field.rb', line 147

def [] which
    result = xtractr.json "api/field/#{name}/terms", :start => which, :limit => 1
    rows = result['rows']
    if rows.empty? || rows[0]['key'] != which
        raise ArgumentError, "Unknown term #{which} for field #{name}"
    end
    return Term.new(self, rows[0])
end

#count(q = '*') ⇒ Object

Find out all the unique values of this field with an optional query.

xtractr.field('http.user.agent').count('flow.src:192.168.1.1')



158
159
160
 
# File 'lib/mu/xtractr/field.rb', line 158

def count q='*'
    Views.count xtractr, self, "api/flows/report", :q => q
end

#each_term(start = '') ⇒ Object Also known as: each

Fetch the terms and their packet frequencies (in packets) for this field. If the optional start term is given, then the term enumeration starts from the specified term.

field.each { |term| ... }
field.each('mozilla') { |term| ... }



111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
 
# File 'lib/mu/xtractr/field.rb', line 111

def each_term(start='') # :yields: term
    opts = {}
    opts[:start] = start
    opts[:limit] = 101
    
    while true
        result = xtractr.json "api/field/#{name}/terms", opts
        rows = result['rows']            
        break if rows.empty?
        
        rows[0, 100].each do |row| 
            term = Term.new self, row 
            yield term
        end
        
        break if rows.size < 101
        opts[:start] = rows[100]['key']
    end
    
    return self
end

#inspectObject

:nodoc:



170
171
172
 
# File 'lib/mu/xtractr/field.rb', line 170

def inspect # :nodoc:
    "#<field:#{name}>"
end

#terms(regex = nil) ⇒ Object

Fetch the list of all the unique terms for this field, sorted by the frequency of occurence in the packets. This can be used for some quick trend analysis to see which term of a given field appears most amongst all packets in the index. Here’s an example to print out the top 10 terms of http.request.uri.

p xtractr.field('http.request.uri').terms[0..10]



139
140
141
142
143
 
# File 'lib/mu/xtractr/field.rb', line 139

def terms regex=nil
    regex = Regexp.new(regex, Regexp::IGNORECASE) if regex.is_a? String
    t = regex ? entries.select { |name| name =~ regex } : entries
    t.sort { |a, b| b.frequency <=> a.frequency }
end

#values(q = '*') ⇒ Object

Return a list of Field::Value objects for this field, sorted by their frequency. This is a convenience method to use the resulting Field::Value objects in method chaining.

xtractr.field('http.user.agent').values.first.packets.slice('foo.pcap')



166
167
168
 
# File 'lib/mu/xtractr/field.rb', line 166

def values q='*'
    count(q).map { |c| c.object }
end