flow-indexer icon indicating copy to clipboard operation
flow-indexer copied to clipboard
verified publisher icon JustinAzoff

Simply configuration

Open JustinAzoff opened this issue 8 years ago • 1 comments

Minimally now that I have

        "file_glob": "/bro/logs/*/notice.*gz",
        "recent_file_glob": "/bro/logs/%Y-%m-%d/notice.*gz",

Currently if recent_file_glob is missing, it can just default to file_glob. However, if only recent_file_glob is present, one could just convert the %X to * giving /bro/logs/*-*-*/notice.*gz which would also work in place of file_glob, so both are probably not needed.

JustinAzoff avatar Mar 26 '18 21:03 JustinAzoff

Another idea is to replace


YYYY => (?P<year>\\d\\d\\d\\d)
MM => (?P<month>\\d\\d)
DD => (?P<day>\\d\\d)
HH => (?P<hour>\\d\\d)
MM => (?P<minute>\\d\\d)

which would simplify some of the regexes to stuff like

"filename_to_time_regex": "nfcapd.YYYYMMDDHHMM",

instead of what is there now.

JustinAzoff avatar Mar 28 '18 01:03 JustinAzoff