jameskerr
commented
3 years ago A simple improvement would be to run the generated "pivot-to-logs" Z scripts through the parser to see if is at least valid or not. If it throws an error, then gray out the menu item.
In a team discussion on 2021-02-02, we discussed an issue raised in the community from a user that was trying to modify the Z behind the Activity Overview query to include the Suricata alerts (Slack thread). Their initial attempt was:
This produced a table that looked correct, but the right-click "Pivot to logs" operation then created Z that did not target the correct rows, e.g.
_path="files" event_type=nullbecause the original non-fused data lacks anevent_typefield in thefilesrecords and hence this booleanandfails to match any records.I tried my hand at coming up with one which also did not work:
In that case the "Pivot to logs" on the
alertsline generates the Z_path="alert"which will return no results because theputonly added the_pathfield as a prerequisite for running the aggregation, but the Suricata records in the original data lack the_pathfield and so the Z will find nothing.We've seen other cases where the Z generated by a "Pivot to logs" will actually fail with a parsing error.
@mccanne made the point that this could be a problem/solution in the domain of Zealot. He seemed to think it could be made smart enough to examine a flowgraph and determine the possible legal pivots. At minimum this would hopefully allow us to "gray out" the "Pivot to logs" option if we know it will fail to parse or will not return the intended results. Perhaps it will also all pivots to be successful on sophisticated Z that for which pivots don't work today.
(Side note: The Z enhancement described at https://github.com/brimsec/zq/issues/2066 is yet another example of functionality that, if made possible in Z, one would want to be able to pivot from.)