Another Upgrade from 1.6 to 1.7 command question.

[SandorGardil]

Hello again, I have gotten stuck with a couple more commands and was looking for some advice to better understand the proper syntax to use. Both of the commands that are failing are using -o fmt followed by some data. The first command has this for the -o flag
-o 'fmt:%sa, %da, %sp, %dp, %pkt, %byt, %fl
and the error returned was
Can not use print format fmt:%sa %da %sp %dp %pkt %byt %fl to aggregate flows
I tried it with and without comma's and spacings but non of the attempts worked. The second command using the -o fmt flag that I have that worked for 1.6 is
-o 'fmt:{"protocol": "%pr", "start": "%ts", "end": "%te", "duration": "%td", "srcip": "%sa", "dstip": "%da", "srcport": "%sp", "dstport": "%dp", "srcas": "%sas", "dstas": "%das", "packets": %pkt, "bytes": %byt, "flows": %fl, "packets": %pkt, "tos": %tos, "bps": %bps, "pps": %pps, "Bpp": %bpp}'
The returned error was the same as the first error but with the different sent information.

Any help to better understand is very much appreciated, thanks!

[phaag]

It's not about the print format -o fmt:.... but rather the potential mismatch with other arguments. You were using a specific aggregation -a -A.... The aggregation automatically selects the corresponding fmt format in order to prevent unexpected output.

Assume you use -a -Asrcip -o 'fmt:%sa, %da, %sp, %dp, %pkt, %byt, %fl' . The aggregation -Asrcip is not compatible with the fmt format as only the src IP would be valid after the aggregation all other fields are nulled out.
Nfdump 1.7.x is more strict with formats, such as -Asrcip,dstip for example automatically selects -o fmt:%sa %da as the correct output format.

[SandorGardil]

Thanks for the quick response, I was off yesterday or I would have gotten back sooner. I might be misunderstanding this a bit, when running -a -A it will look for the fmt format and match the corresponding aggregates? Our old queries were running -a -A 'dstip,srcip and -a -A 'srcip,dstip'. I attempted running the command in terminal with no aggregates but still using -a -A and it returns an error saying syntax error at 'fmt: . This is the whole command I ran nfdump -M '{path to dir with nfcapd files}' -R . -t '2025/01/20.09:49:34-2025/01/21.09:49:33' -N -a -A -o 'fmt:%sa %da %sp %dp %pkt %byt %fl' 'src ip 192.168.0.16 or src ip 192.168.1.13 or src ip 192.168.1.23 or src ip 192.168.0.103 or src ip 192.168.107.49' -q -c 5000. Do I need to provide the specific aggregates for the-o fmt:` I provide?

[SandorGardil]

I believe I found the syntax to us to get the information I need however it looks like I will need to change some other stuff up to make sure its getting the correct data. These are the flags I believe will give me the correct information, both remove the use of the -o fmt flag:

-a -A srcip,dstip,srcport,dstport
instead of
-o 'fmt:%sa, %da, %sp, %dp, %pkt, %byt, %fl

and

-a -A proto,srcip,dstip,srcport,dstport,srcas,dstas,tos
instead of
-o 'fmt:{"protocol": "%pr", "start": "%ts", "end": "%te", "duration": "%td", "srcip": "%sa", "dstip": "%da", "srcport": "%sp", "dstport": "%dp", "srcas": "%sas", "dstas": "%das", "packets": %pkt, "bytes": %byt, "flows": %fl, "packets": %pkt, "tos": %tos, "bps": %bps, "pps": %pps, "Bpp": %bpp}'