mirror of
https://github.com/zeek/zeek.git
synced 2025-10-02 06:38:20 +00:00
Event: Store timestamp in metadata vector
This removes the ts attribute from Event and instead allocates a vector for storing metadata. By default, adds the network time as a TimeVal. Later patches will make the allocation of the vector optional by introducing a different constructor so that users that are not interested in network timestamp metadata do not take the allocation hit. Moving the explicit ``ts`` out of the event is done in order to treat it just as generic metadata, too. However, the Time() accessor is adapted to lookup the value from the metadata vector instead.
This commit is contained in:
Arne Welzel
parent
cc7dc60c1e
commit
12c523f3f7
2 changed files with 80 additions and 5 deletions
48
src/Event.cc
48
src/Event.cc
|
|
@ -2,9 +2,12 @@
|
|||
|
||||
#include "zeek/Event.h"
|
||||
|
||||
#include <cinttypes>
|
||||
|
||||
#include "zeek/Desc.h"
|
||||
#include "zeek/EventRegistry.h"
|
||||
#include "zeek/Trigger.h"
|
||||
#include "zeek/Type.h"
|
||||
#include "zeek/Val.h"
|
||||
#include "zeek/iosource/Manager.h"
|
||||
#include "zeek/plugin/Manager.h"
|
||||
|
|
@ -15,19 +18,58 @@ zeek::EventMgr zeek::event_mgr;
|
|||
|
||||
namespace zeek {
|
||||
|
||||
detail::EventMetadataVectorPtr detail::MakeEventMetadataVector(double t) {
|
||||
auto tv = make_intrusive<TimeVal>(t);
|
||||
auto entry = detail::MetadataEntry{static_cast<zeek_uint_t>(detail::MetadataType::NetworkTimestamp), std::move(tv)};
|
||||
return std::make_unique<detail::EventMetadataVector>(std::vector{std::move(entry)});
|
||||
}
|
||||
|
||||
RecordValPtr detail::MetadataEntry::BuildVal() const {
|
||||
static const auto rt = id::find_type<RecordType>("EventMetadata::Entry");
|
||||
auto rv = make_intrusive<RecordVal>(rt);
|
||||
const auto* desc = event_registry->LookupMetadata(id);
|
||||
if ( ! desc ) {
|
||||
zeek::reporter->InternalWarning("unable to find metadata descriptor for id %" PRIu64, id);
|
||||
return rv;
|
||||
}
|
||||
|
||||
rv->Assign(0, desc->IdVal());
|
||||
rv->Assign(1, val);
|
||||
|
||||
return rv;
|
||||
}
|
||||
|
||||
Event::Event(const EventHandlerPtr& arg_handler, zeek::Args arg_args, util::detail::SourceID arg_src,
|
||||
analyzer::ID arg_aid, Obj* arg_obj, double arg_ts)
|
||||
: handler(arg_handler),
|
||||
args(std::move(arg_args)),
|
||||
src(arg_src),
|
||||
aid(arg_aid),
|
||||
ts(arg_ts),
|
||||
obj(arg_obj),
|
||||
next_event(nullptr) {
|
||||
next_event(nullptr),
|
||||
meta(detail::MakeEventMetadataVector(arg_ts)) {
|
||||
if ( obj )
|
||||
Ref(obj);
|
||||
}
|
||||
|
||||
double Event::Time() const {
|
||||
if ( ! meta )
|
||||
return 0.0;
|
||||
|
||||
for ( const auto& m : *meta )
|
||||
if ( m.Id() == static_cast<zeek_uint_t>(detail::MetadataType::NetworkTimestamp) ) {
|
||||
if ( m.Val()->GetType()->Tag() != TYPE_TIME ) {
|
||||
// This should've been caught during parsing.
|
||||
zeek::reporter->InternalError("event metadata timestamp has wrong type: %s",
|
||||
obj_desc_short(m.Val()->GetType().get()).c_str());
|
||||
}
|
||||
|
||||
return m.Val()->AsTime();
|
||||
}
|
||||
|
||||
return 0.0;
|
||||
}
|
||||
|
||||
void Event::Describe(ODesc* d) const {
|
||||
if ( d->IsReadable() )
|
||||
d->AddSP("event");
|
||||
|
|
@ -53,7 +95,7 @@ void Event::Dispatch(bool no_remote) {
|
|||
#pragma GCC diagnostic push
|
||||
#pragma GCC diagnostic ignored "-Wdeprecated-declarations"
|
||||
// Replace in v8.1 with handler->Call(&args).
|
||||
handler->Call(&args, no_remote, ts);
|
||||
handler->Call(&args, no_remote, Time());
|
||||
#pragma GCC diagnostic pop
|
||||
}
|
||||
|
||||
|
|
|
|||
37
src/Event.h
37
src/Event.h
|
|
@ -4,6 +4,7 @@
|
|||
|
||||
#include <tuple>
|
||||
#include <type_traits>
|
||||
#include <vector>
|
||||
|
||||
#include "zeek/ZeekArgs.h"
|
||||
#include "zeek/analyzer/Analyzer.h"
|
||||
|
|
@ -18,6 +19,38 @@ extern double network_time;
|
|||
|
||||
class EventMgr;
|
||||
|
||||
namespace detail {
|
||||
|
||||
/**
|
||||
* An event metadata entry as stored in Event or @ref zeek::cluster::detail::Event.
|
||||
*/
|
||||
class MetadataEntry {
|
||||
public:
|
||||
MetadataEntry(zeek_uint_t id, zeek::ValPtr val) : id(id), val(std::move(val)) {}
|
||||
|
||||
zeek_uint_t Id() const { return id; }
|
||||
const zeek::ValPtr& Val() const { return val; }
|
||||
|
||||
/**
|
||||
* @return Pointer to a script-layer ``EventMetadata::Entry`` zeek::RecordVal representing this metadata entry.
|
||||
*/
|
||||
RecordValPtr BuildVal() const;
|
||||
|
||||
private:
|
||||
zeek_uint_t id;
|
||||
zeek::ValPtr val;
|
||||
};
|
||||
|
||||
using EventMetadataVector = std::vector<MetadataEntry>;
|
||||
using EventMetadataVectorPtr = std::unique_ptr<EventMetadataVector>;
|
||||
|
||||
/**
|
||||
* @return A new event metadata vector containing network timestamp value set to \a t;
|
||||
*/
|
||||
EventMetadataVectorPtr MakeEventMetadataVector(double t);
|
||||
|
||||
} // namespace detail
|
||||
|
||||
class Event final : public Obj {
|
||||
public:
|
||||
Event(const EventHandlerPtr& handler, zeek::Args args, util::detail::SourceID src = util::detail::SOURCE_LOCAL,
|
||||
|
|
@ -30,7 +63,7 @@ public:
|
|||
analyzer::ID Analyzer() const { return aid; }
|
||||
EventHandlerPtr Handler() const { return handler; }
|
||||
const zeek::Args& Args() const { return args; }
|
||||
double Time() const { return ts; }
|
||||
double Time() const;
|
||||
|
||||
void Describe(ODesc* d) const override;
|
||||
|
||||
|
|
@ -45,9 +78,9 @@ private:
|
|||
zeek::Args args;
|
||||
util::detail::SourceID src;
|
||||
analyzer::ID aid;
|
||||
double ts;
|
||||
Obj* obj;
|
||||
Event* next_event;
|
||||
detail::EventMetadataVectorPtr meta;
|
||||
};
|
||||
|
||||
class EventMgr final : public Obj, public iosource::IOSource {
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue