On Tue, Sep 12, 2017 at 4:53 AM, Takeo Ogawara <ta-ogaw...@kddi-research.jp> wrote:
> > > > Is it absolutely required to query large files like this? Would it be > > acceptable to split the file first by making a quick scan over it? > No,loading large file isn’t necessarily required. > In fact, this large PCAP file is created by concatenating small PCAP files > with mergecap command. > So there is no problem with input small PCAP files into Drill. > > How can I analyze numbers of PCAP files together? > Simply specify a directory instead of a file. If the directory contains PCAP files, then you will query those files as if they are one table. You can also specify wildcard to allow you to query just some files.
