Hi Paolo and Karl, On Sat, 13 Jun 2009, Paolo Lucente wrote:
> On Sat, Jun 13, 2009 at 03:07:01PM -0500, Karl O. Pinc wrote: > > >> We are only interested in a single table. > > > > Why can't two separate sql plugins write to the same table? > > What Karl is proposing here might really result in a simpler > approach compared to the sub-aggregation scenario - which, with > some care (ie. sql_startup_delay to svoid events syncronization > while retaining same sql_history and sql_refresh_time settings), > can not only achieve same results but best of all is already > there. Let us know your thoughts! I don't think it can. For example, how would we write the configuration? Let's say we just want to zero (not aggregate on) the destination IP for flows less than 1000 bytes. We could try: plugins: mysql[with_dst], mysql[without_dst] aggregate[with_dst]: src_host, src_port, dst_host, dst_port, proto aggregate[without_dst]: src_host, src_port, dst_port, proto sql_preprocess[with_dst]: minb = 1000 sql_preprocess[without_dst]: maxb = 1000 but the flow aggregates are not the same for both plugins, so we can't ensure that any flow ends up in one plugin or the other but not both or neither. How else could we do it with what we already have? We could write to different tables at different levels of aggregation, and let the user choose which one to use, and delete old data from each table to stop it becoming too large... but that gets more complicated for the user. Cheers, Chris. -- Aptivate | http://www.aptivate.org | Phone: +44 1223 760887 The Humanitarian Centre, Fenner's, Gresham Road, Cambridge CB1 2ES Aptivate is a not-for-profit company registered in England and Wales with company number 04980791. _______________________________________________ pmacct-discussion mailing list http://www.pmacct.net/#mailinglists
