试图将这样的数据(zeek 连接数据)加载到 pyflink。我的问题是名称带有点的 id 字段,因为它们最初是 zeek 中的元组。
{
"ts": 1584544201.798601,
"uid": "CSgDnESdxqqAN88H3",
"id.orig_h": "172.24.41.32",
"id.orig_p": 64078,
"id.resp_h": "255.255.255.255",
"id.resp_p": 34329,
"proto": "udp",
"conn_state": "S0",
"missed_bytes": 0,
"history": "D",
"orig_pkts": 1,
"orig_ip_bytes": 542,
"resp_pkts": 0,
"resp_ip_bytes": 0
}
我将不胜感激有关如何执行此操作的任何帮助。
Ben,如果它妨碍您,您可以在 Zeek 的日志框架中更改该点。它被称为“范围分隔符”。在您的 local.zeek 或您正在加载的其他脚本中尝试此操作:
redef Log::default_scope_sep="_";
您也可以在命令行中执行此操作。例如,如果我说
$ zeek -r test.pcap Log::default_scope_sep=_ LogAscii::use_json=T
然后我得到:
{"ts":1117503119.471231,"uid":"C5mZTXjAFggDiLb1b","id_orig_h":"192.150.186.238","id_orig_p":42762,"id_resp_h":"66.35.250.209","id_resp_p":80,"proto":"tcp","service":"http","duration":6.483856916427612,"orig_bytes":377,"resp_bytes":10041,"conn_state":"SF","missed_bytes":0,"history":"ShADadfF","orig_pkts":11,"orig_ip_bytes":957,"resp_pkts":10,"resp_ip_bytes":10569}