:tocdepth: 3

base/frameworks/logging/writers/dataseries.bro
==============================================
.. bro:namespace:: LogDataSeries

Interface for the DataSeries log writer.

:Namespace: LogDataSeries
:Source File: :download:`/scripts/base/frameworks/logging/writers/dataseries.bro`

Summary
~~~~~~~
Options
#######
================================================================================== ================================================================
:bro:id:`LogDataSeries::compression`: :bro:type:`string` :bro:attr:`&redef`        Compression to use with the DS output file.
:bro:id:`LogDataSeries::dump_schema`: :bro:type:`bool` :bro:attr:`&redef`          Should we dump the XML schema we use for this DS file to disk?
                                                                                   If yes, the XML schema shares the name of the logfile, but has
                                                                                   an XML ending.
:bro:id:`LogDataSeries::extent_size`: :bro:type:`count` :bro:attr:`&redef`         The extent buffer size.
:bro:id:`LogDataSeries::num_threads`: :bro:type:`count` :bro:attr:`&redef`         How many threads should DataSeries spawn to perform compression?
                                                                                   Note that this dictates the number of threads per log stream.
:bro:id:`LogDataSeries::use_integer_for_time`: :bro:type:`bool` :bro:attr:`&redef` Should time be stored as an integer or a double?
                                                                                   Storing time as a double leads to possible precision issues and
                                                                                   can (significantly) increase the size of the resulting DS log.
================================================================================== ================================================================

Redefinitions
#############
==================================================================================== =
:bro:id:`Log::default_rotation_postprocessors`: :bro:type:`table` :bro:attr:`&redef` 
==================================================================================== =


Detailed Interface
~~~~~~~~~~~~~~~~~~
Options
#######
.. bro:id:: LogDataSeries::compression

   :Type: :bro:type:`string`
   :Attributes: :bro:attr:`&redef`
   :Default: ``"gz"``

   Compression to use with the DS output file.  Options are:
   
   'none' -- No compression.
   'lzf'  -- LZF compression (very quick, but leads to larger output files).
   'lzo'  -- LZO compression (very fast decompression times).
   'gz'   -- GZIP compression (slower than LZF, but also produces smaller output).
   'bz2'  -- BZIP2 compression (slower than GZIP, but also produces smaller output).

.. bro:id:: LogDataSeries::dump_schema

   :Type: :bro:type:`bool`
   :Attributes: :bro:attr:`&redef`
   :Default: ``F``

   Should we dump the XML schema we use for this DS file to disk?
   If yes, the XML schema shares the name of the logfile, but has
   an XML ending.

.. bro:id:: LogDataSeries::extent_size

   :Type: :bro:type:`count`
   :Attributes: :bro:attr:`&redef`
   :Default: ``65536``

   The extent buffer size.
   Larger values here lead to better compression and more efficient writes,
   but also increase the lag between the time events are received and
   the time they are actually written to disk.

.. bro:id:: LogDataSeries::num_threads

   :Type: :bro:type:`count`
   :Attributes: :bro:attr:`&redef`
   :Default: ``1``

   How many threads should DataSeries spawn to perform compression?
   Note that this dictates the number of threads per log stream.  If
   you're using a lot of streams, you may want to keep this number
   relatively small.
   
   Default value is 1, which will spawn one thread / stream.
   
   Maximum is 128, minimum is 1.

.. bro:id:: LogDataSeries::use_integer_for_time

   :Type: :bro:type:`bool`
   :Attributes: :bro:attr:`&redef`
   :Default: ``F``

   Should time be stored as an integer or a double?
   Storing time as a double leads to possible precision issues and
   can (significantly) increase the size of the resulting DS log.
   That said, timestamps stored in double form are consistent
   with the rest of Bro, including the standard ASCII log. Hence, we
   use them by default.


