正在将zeek连接数据加载到pyflink

Question

尝试将这样的数据(zeek连接数据)加载到pyflink。我的问题是id字段的名称带有点，因为它们最初是zeek中的元组。

{
  "ts": 1584544201.798601,
  "uid": "CSgDnESdxqqAN88H3",
  "id.orig_h": "172.24.41.32",
  "id.orig_p": 64078,
  "id.resp_h": "255.255.255.255",
  "id.resp_p": 34329,
  "proto": "udp",
  "conn_state": "S0",
  "missed_bytes": 0,
  "history": "D",
  "orig_pkts": 1,
  "orig_ip_bytes": 542,
  "resp_pkts": 0,
  "resp_ip_bytes": 0
}

如果您能帮助我做这件事，我将不胜感激。

Answer 1

Ben，你可以在Zeek的日志框架中修改这个点，如果它有问题的话。它被称为“范围分隔符”。在您的local.zeek或您正在加载的其他脚本中尝试此命令：

redef Log::default_scope_sep="_";

您也可以在命令行中执行此操作。例如，如果我说

$ zeek -r test.pcap Log::default_scope_sep=_ LogAscii::use_json=T

然后我得到：

{"ts":1117503119.471231,"uid":"C5mZTXjAFggDiLb1b","id_orig_h":"192.150.186.238","id_orig_p":42762,"id_resp_h":"66.35.250.209","id_resp_p":80,"proto":"tcp","service":"http","duration":6.483856916427612,"orig_bytes":377,"resp_bytes":10041,"conn_state":"SF","missed_bytes":0,"history":"ShADadfF","orig_pkts":11,"orig_ip_bytes":957,"resp_pkts":10,"resp_ip_bytes":10569}