From eec89c362f5ca699c7a64f45a9d6048bc6accbd9 Mon Sep 17 00:00:00 2001
From: Phil Rzewski <phil@brimdata.io>
Date: Tue, 23 Jan 2024 19:28:31 +0000
Subject: [PATCH] Adapt to Zeek "files" log losing conn_uids+tx_hosts+rx_hosts
 and gaining uid+id (#2981)

---
 .../src/plugins/brimcap/zeek/correlations.ts    |  4 ++--
 apps/zui/src/plugins/brimcap/zeek/queries.ts    |  3 ++-
 apps/zui/src/plugins/brimcap/zeek/util.ts       |  1 -
 apps/zui/src/ppl/detail/models/Correlation.ts   |  1 -
 apps/zui/src/ppl/zeek/descriptions.ts           | 17 ++++++-----------
 5 files changed, 10 insertions(+), 16 deletions(-)

diff --git a/apps/zui/src/plugins/brimcap/zeek/correlations.ts b/apps/zui/src/plugins/brimcap/zeek/correlations.ts
index a77472eb62..753edff779 100644
--- a/apps/zui/src/plugins/brimcap/zeek/correlations.ts
+++ b/apps/zui/src/plugins/brimcap/zeek/correlations.ts
@@ -29,7 +29,7 @@ export function activateZeekCorrelations() {
       return zedScript`
         from ${session.poolName} 
         | md5==${getMd5()} 
-        | count() by tx_hosts 
+        | count() by tx_host:=id.resp_h 
         | sort -r 
         | head 5`
     },
@@ -41,7 +41,7 @@ export function activateZeekCorrelations() {
       return zedScript`
           from ${session.poolName} 
           | md5==${getMd5()} 
-          | count() by rx_hosts 
+          | count() by rx_host:=id.orig_h 
           | sort -r 
           | head 5`
     },
diff --git a/apps/zui/src/plugins/brimcap/zeek/queries.ts b/apps/zui/src/plugins/brimcap/zeek/queries.ts
index 331063b12c..bbad2c4103 100644
--- a/apps/zui/src/plugins/brimcap/zeek/queries.ts
+++ b/apps/zui/src/plugins/brimcap/zeek/queries.ts
@@ -6,7 +6,7 @@ export function uidQuery(pool: string, uid: string) {
 }
 
 export function uidFilter(uid: string) {
-  return zedScript`uid==${uid} or ${uid} in conn_uids or ${uid} in uids or referenced_file.uid==${uid}`
+  return zedScript`uid==${uid} or ${uid} in uids or referenced_file.uid==${uid}`
 }
 
 export function communityConnFilter(data: CommunityConnArgs) {
@@ -25,6 +25,7 @@ export function findConnLog(pool: string, uid: string) {
   | (` +
     uidFilter(uid) +
     `)
+  | _path=="conn" 
   | is(ts, <time>) 
   | is(duration, <duration>) 
   | is(uid, <string>)
diff --git a/apps/zui/src/plugins/brimcap/zeek/util.ts b/apps/zui/src/plugins/brimcap/zeek/util.ts
index 53c967f89f..c1262e594a 100644
--- a/apps/zui/src/plugins/brimcap/zeek/util.ts
+++ b/apps/zui/src/plugins/brimcap/zeek/util.ts
@@ -7,7 +7,6 @@ export function findUid(value: zed.Value) {
   }
 
   const specialUids = {
-    files: "conn_uids",
     dhcp: "uids",
   }
   if (value.has("_path")) {
diff --git a/apps/zui/src/ppl/detail/models/Correlation.ts b/apps/zui/src/ppl/detail/models/Correlation.ts
index 2ed30c18de..366207a7e1 100644
--- a/apps/zui/src/ppl/detail/models/Correlation.ts
+++ b/apps/zui/src/ppl/detail/models/Correlation.ts
@@ -2,7 +2,6 @@ import {get} from "lodash"
 import * as zed from "@brimdata/zed-js"
 
 const specialUids = {
-  files: "conn_uids",
   dhcp: "uids",
 }
 
diff --git a/apps/zui/src/ppl/zeek/descriptions.ts b/apps/zui/src/ppl/zeek/descriptions.ts
index fe35ba9989..89ea0d467e 100644
--- a/apps/zui/src/ppl/zeek/descriptions.ts
+++ b/apps/zui/src/ppl/zeek/descriptions.ts
@@ -244,19 +244,14 @@ export default {
       desc: "An identifier associated with a single file.",
     },
     {
-      name: "tx_hosts",
-      type: "table",
-      desc: "If this file was transferred over a network connection this should show the host or hosts that the data sourced from.",
-    },
-    {
-      name: "rx_hosts",
-      type: "table",
-      desc: "If this file was transferred over a network connection this should show the host or hosts that the data traveled to.",
+      name: "uid",
+      type: "string",
+      desc: "Unique ID for the connection.",
     },
     {
-      name: "conn_uids",
-      type: "table",
-      desc: "Connection UIDs over which the file was transferred.",
+      name: "id",
+      type: "record conn_id",
+      desc: "The connection's 4-tuple of endpoint addresses/ports.",
     },
     {
       name: "source",