Syntax error when using Flow.commitRecord(); for FLOW_RECORD event


#1

Greetings,

Possibly a bug ?

Running 5.2.2.2311

To reproduce: FLOW_RECORD trigger on a device to record flow records for device’s activity.

if( event == “FLOW_RECORD” ){
Flow.commitRecord();
}

Result: Syntax checker does not allow trigger to be saved. Complains that “Flow has no property commitRecord.”

Disabling Syntax checker to save trigger results in the trigger throwing exceptions: “Uncaught TypeError: Flow.commitRecord is not a function”

However, the Trigger API documentation suggests that Flow.commitRecord() is a valid method.

commitRecord(): void
Commits the record to the ExtraHop Explore appliance. See the record property below for details.
Properties are returned for the record only on FLOW_RECORD events. See the record property below for details.

For built-in records, each unique record is committed only once, even if .commitRecord is called multiple times for the same unique record.


Add fields to default flow records
#2

Hi,
I would try the following supposing your custom record is named as"MyFlow".

if (event == ‘FLOW_RECORD’)
{
commitRecord(“MyFlow”, Flow.senderAddr);

}


commitRecord(id: String, {key: value, key: value}): boolean
Commits a record to the ExtraHop Explore appliance. Returns true if the record is successfully committed.
id: String
The ID of the type of record type to be created, which cannot begin with a tilde (~).
fields: Object
One or more key-value pairs.

record: Object
Returns an object with all properties appropriately initialized for a device in the flow. Specify the device role in the syntax—for example, Flow.client.record or Flow.server.record.
Applies only to FLOW_RECORD events. The following record object properties are available on FLOW_RECORD events:

bytes
first
last
pkts
proto
senderAddr
senderPort
receiverAddr
receiverPort
tcpFlags
tos


#3

While this is a technical workaround, it unfortunately does not address the underlying issue/question at hand:

Is the documentation incorrect, or is this an enhancement that needs to be introduced to support Flow.commitRecord()? The latter seems most logical to me…

Furthermore, a custom record type is not ideal since it breaks the workflow of the record drill-down from the summary metric UI. For example, you would not be able to click the record drill in from the L3/L4 Details UI and see matching records. Instead, you would have to then select the custom record type and apply the appropriate filters. This is obviously not an ideal workflow.


#4

Flow records are directional, so there isn’t a single record you can commit. You need to either call Flow.client.commitRecord() (or server instead of client) or Flow.commitRecord1() or Flow.commitRecord2(). This will give you the built-in records you’re looking for.