EventReader's may associate packets with an event that don't belong to it. #14
Comments
|
Closing. The answer is to deprecate the "event" readers and only officially support the record readers. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
The way unified2 logging works, the packets (or any non-event record) following an event record may not be associated with that event, but an event that happened before it.
Currently the record aggregator will bundle all non-event records with the most recent event until a new event record is received. Instead it will need to verify that the record does belong to the event that is currently being aggregated.
This also means that an Event object may not contain all the packet records associated it with it, as there may be an event record in the unified2 log file before a packet record for the previous event is seen.
I think the only solution is that the EventReader's make a best effort to gather all the records together in an event. Perhaps the aggregator could have a timeout where it holds onto multiple events for an amount of time waiting for more records, but there could still be a record that appears outside that window.
Still needs some thought.
The text was updated successfully, but these errors were encountered: