Merge remote-tracking branch 'origin/master' into topic/seth/sumstats-updates

scripts/base/frameworks/files/main.bro

@@ -204,7 +204,7 @@ export {
 	## 
 	## tag: Tag for the protocol analyzer having a callback being registered.
 	##
-	## reg: A :bro:see:`ProtoRegistration` record.
+	## reg: A :bro:see:`Files::ProtoRegistration` record.
 	##
 	## Returns: true if the protocol being registered was not previously registered.
 	global register_protocol: function(tag: Analyzer::Tag, reg: ProtoRegistration): bool;
@@ -228,11 +228,6 @@ redef record fa_file += {
 	info: Info &optional;
 };
 
-redef record AnalyzerArgs += {
-	# This is used interally for the core file analyzer api.
-	tag: Files::Tag &optional;
-};
-
 # Store the callbacks for protocol analyzers that have files.
 global registered_protocols: table[Analyzer::Tag] of ProtoRegistration = table();
 
@@ -275,14 +270,12 @@ function set_timeout_interval(f: fa_file, t: interval): bool
 
 function add_analyzer(f: fa_file, tag: Files::Tag, args: AnalyzerArgs): bool
 	{
-	# This is to construct the correct args for the core API.
-	args$tag = tag;
 	add f$info$analyzers[Files::analyzer_name(tag)];
 
 	if ( tag in analyzer_add_callbacks )
 		analyzer_add_callbacks[tag](f, args);
 
-	if ( ! __add_analyzer(f$id, args) )
+	if ( ! __add_analyzer(f$id, tag, args) )
 		{
 		Reporter::warning(fmt("Analyzer %s not added successfully to file %s.", tag, f$id));
 		return F;
@@ -297,8 +290,7 @@ function register_analyzer_add_callback(tag: Files::Tag, callback: function(f: f
 
 function remove_analyzer(f: fa_file, tag: Files::Tag, args: AnalyzerArgs): bool
 	{
-	args$tag = tag;
-	return __remove_analyzer(f$id, args);
+	return __remove_analyzer(f$id, tag, args);
 	}
 
 function stop(f: fa_file): bool

scripts/base/frameworks/packet-filter/main.bro

@@ -109,7 +109,7 @@ export {
 
 	## Enables the old filtering approach of "only watch common ports for
 	## analyzed protocols".
-        ##
+	##
 	## Unless you know what you are doing, leave this set to F.
 	const enable_auto_protocol_capture_filters = F &redef;
 

scripts/base/frameworks/sumstats/plugins/__load__.bro

@@ -5,5 +5,6 @@
 @load ./sample
 @load ./std-dev
 @load ./sum
+@load ./topk
 @load ./unique
-@load ./variance
+@load ./variance

scripts/base/frameworks/sumstats/plugins/topk.bro

@@ -0,0 +1,50 @@
+@load base/frameworks/sumstats
+
+module SumStats;
+
+export {
+	redef record Reducer += {
+		## number of elements to keep in the top-k list
+		topk_size: count &default=500;
+	};
+
+	redef enum Calculation += {
+		TOPK
+	};
+
+	redef record ResultVal += {
+		topk: opaque of topk &optional;
+	};
+
+}
+
+hook init_resultval_hook(r: Reducer, rv: ResultVal)
+	{
+	if ( TOPK in r$apply && ! rv?$topk )
+		rv$topk = topk_init(r$topk_size);
+	}
+
+hook observe_hook(r: Reducer, val: double, obs: Observation, rv: ResultVal)
+	{
+	if ( TOPK in r$apply )
+		topk_add(rv$topk, obs);
+	}
+
+hook compose_resultvals_hook(result: ResultVal, rv1: ResultVal, rv2: ResultVal)
+	{
+	if ( rv1?$topk )
+		{
+		result$topk = topk_init(topk_size(rv1$topk));
+
+		topk_merge(result$topk, rv1$topk);
+
+		if ( rv2?$topk )
+			topk_merge(result$topk, rv2$topk);
+		}
+
+	else if ( rv2?$topk )
+		{
+		result$topk = topk_init(topk_size(rv2$topk));
+		topk_merge(result$topk, rv2$topk);
+		}
+	}