On Tue, Sep 12, 2017 at 4:53 AM, Takeo Ogawara <ta-ogawara@kddi-research.jp>
wrote:
>
>
> > Is it absolutely required to query large files like this? Would it be
> > acceptable to split the file first by making a quick scan over it?
> No,loading large file isn’t necessarily required.
> In fact, this large PCAP file is created by concatenating small PCAP files
> with mergecap command.
> So there is no problem with input small PCAP files into Drill.
>
> How can I analyze numbers of PCAP files together?
>
Simply specify a directory instead of a file. If the directory contains
PCAP files, then you will query those files as if they are one table.
You can also specify wildcard to allow you to query just some files.
|