[SecViz] Afterglow: Is it possible to split a field?

[Raffael Marty]

Oh, I see... I think you are breaking some functionality if you do that. Not sure though. Anyways, you could do something like format your data this way:

A,B,C|D

Then in your properties file, split by | again:

color = $count=split("|",$fields[2])[0]; return "red" if ($count > 100)

I haven't tested this (my perl code might be off too, been in Python land for too long), but it should work... Hopefully ;)

  Raffael

--
Raffael Marty,                               Founder @ Loggly
@zrlram                                         raffy.ch/blog

On Mar 10, 2010, at 9:44 AM, Paul Halliday wrote:


> I have been working on this:

> 

> http://www.pintumbler.org/code/edv

> 

> The problem I was having was that I was already using the 3 fields:

> 

> src_ip, dst_ip, signature

> 

> I wanted to add a little depth by adding an event count for each

> unique (src->dst->signature) entry; a 4th field.

> 

> I changed a couple lines in afterglow.pl:

> 

> on line 438 I added:  $other = $fields[3];

> 

> and on line 474 I changed it to read: @fields=($source,$event,$target,$other);

> 

> Now I can do:

> 

> src_ip, dst_ip, signature,count using count to colorize the objects:

> 

> http://www.pintumbler.org/files/allevents_2010-03-10_thumb.png

> 

> It needs some work but its close to what I was looking for.

> 

> Thanks.

> 

> On Wed, Mar 10, 2010 at 12:56 PM, Raffael Marty <raffy at raffy.ch> wrote:

>> Hi Paul,

>> 

>> Sure you can do that.

>> 

>> Let's say you have a three column input:

>> 

>> 10.0.0.1,20.2.2.2,100

>> 12.2.2.2,10.0.0.1,12

>> 

>> So, you have a source address, destination address, and a count. Then do this:

>> 

>> cat file | afterglow -t -c file.properties | ....

>> 

>> What is important is the -t, which tells AfterGlow to only visualize two columns. The third column will still be available in your config file. So, the file.properties would look something like:

>> 

>> color.target = "red" if ($fields[2]>100)

>> 

>> Note, it's $fields[2], not 3! What you could also:

>> 

>> color = "green" if (fields()>100)

>> 

>> Hope this helps. Looking forward to seeing your output on secviz.org. What's the use-case you are after?

>> 

>> Cheers

>> 

>>  Raffael

>> 

>> --

>> Raffael Marty,                               Founder @ Loggly

>> @zrlram                                         raffy.ch/blog

>> 

>> On Mar 10, 2010, at 5:56 AM, Paul Halliday wrote:

>> 

>>> Or have field[3] available?

>>> 

>>> I want to colour a source or target based on its count of events.

>>> Is this possible?

>>> 

>>> Thanks.

>>> _______________________________________________

>>> SecViz-Visualization mailing list

>>> SecViz-Visualization at secviz.org

>>> http://eight.pairlist.net/mailman/listinfo/secviz-visualization

>> 

>>