Closed philrz closed 3 years ago
Verified in zq
commit f1bf7cc7
.
Now the output is the same even after the data has been turned into ZNG.
$ zq -version
Version: v0.23.0-12-gf1bf7cc7
$ zq -t '_path=conn id.resp_p=8080 | nodes=collect(id.resp_h) by id.orig_h, id.resp_p' *
#port=uint16
#0:record[id:record[orig_h:ip,resp_p:port],nodes:array[ip]]
0:[[10.9.1.101;8080;][118.110.236.121;118.110.236.121;118.110.236.121;]]
$ zq * | zq -t '_path=conn id.resp_p=8080 | nodes=collect(id.resp_h) by id.orig_h, id.resp_p' -
#port=uint16
#0:record[id:record[orig_h:ip,resp_p:port],nodes:array[ip]]
0:[[10.9.1.101;8080;][118.110.236.121;118.110.236.121;118.110.236.121;]]
Thanks @mccanne!
Repro is with
zq
commit01fe98b
.Test data is below:
Archive.zip
(Those are TSV logs generated by GA Zeek v3.2.2 based on this test pcap, ZIP password:
infected
.)If I run
zq
directly on the TSV logs, I get what appears to be correct output:If I turn the data into ZNG first, the output changes:
We know the latter output is incorrect because the IP address
84.4.32.6
is not returned in a search of either format.