loading zeek connection data to pyflink

Question

Trying to load data like this(zeek connection data) to pyflink. My problem is the id fields that have a name with a dot because they were originally a tuple in zeek.

{
  "ts": 1584544201.798601,
  "uid": "CSgDnESdxqqAN88H3",
  "id.orig_h": "172.24.41.32",
  "id.orig_p": 64078,
  "id.resp_h": "255.255.255.255",
  "id.resp_p": 34329,
  "proto": "udp",
  "conn_state": "S0",
  "missed_bytes": 0,
  "history": "D",
  "orig_pkts": 1,
  "orig_ip_bytes": 542,
  "resp_pkts": 0,
  "resp_ip_bytes": 0
}

I Would appreciate any help with how to do this.

Answer 1

Ben, you can change that dot in Zeek's logging framework if it gets in the way. It's called the "scope separator". Try this in your local.zeek or another script you're loading:

redef Log::default_scope_sep="_";

You can also do this at the command line. For example, if I say

$ zeek -r test.pcap Log::default_scope_sep=_ LogAscii::use_json=T

then I get:

{"ts":1117503119.471231,"uid":"C5mZTXjAFggDiLb1b","id_orig_h":"192.150.186.238","id_orig_p":42762,"id_resp_h":"66.35.250.209","id_resp_p":80,"proto":"tcp","service":"http","duration":6.483856916427612,"orig_bytes":377,"resp_bytes":10041,"conn_state":"SF","missed_bytes":0,"history":"ShADadfF","orig_pkts":11,"orig_ip_bytes":957,"resp_pkts":10,"resp_ip_bytes":10569}