From 6ea1a83afe9199c9337c508fff10b54d797d3063 Mon Sep 17 00:00:00 2001
From: m0duspwnens <josh.patterson@securityonionsolutions.com>
Date: Mon, 11 Jan 2021 14:10:08 -0500
Subject: [PATCH] resolve some issues with the zeekloss script
 https://github.com/Security-Onion-Solutions/securityonion/issues/2590

---
 salt/telegraf/scripts/zeekloss.sh | 17 ++++++++++++-----
 1 file changed, 12 insertions(+), 5 deletions(-)

diff --git a/salt/telegraf/scripts/zeekloss.sh b/salt/telegraf/scripts/zeekloss.sh
index 9a64ef4dd..0cdef896c 100644
--- a/salt/telegraf/scripts/zeekloss.sh
+++ b/salt/telegraf/scripts/zeekloss.sh
@@ -29,15 +29,22 @@ echo $$ > $lf
 ZEEKLOG=$(tac /host/nsm/zeek/logs/packetloss.log | head -2)
 declare RESULT=($ZEEKLOG)
 CURRENTDROP=${RESULT[3]}
-PASTDROP=${RESULT[9]}
-DROPPED=$((CURRENTDROP - PASTDROP))
-if [ $DROPPED == 0 ]; then
+# zeek likely not running if this is true
+if [[ $CURRENTDROP == "rcvd:" ]]; then
+  CURRENTDROP=0
+  PASTDROP=0
+  DROPPED=0
+else
+  PASTDROP=${RESULT[9]}
+  DROPPED=$((CURRENTDROP - PASTDROP))
+fi
+if [[ "$DROPPED" -le 0 ]]; then
   LOSS=0
   echo "zeekdrop drop=0"
 else
   CURRENTPACKETS=${RESULT[5]}
   PASTPACKETS=${RESULT[11]}
   TOTAL=$((CURRENTPACKETS - PASTPACKETS))
-  LOSS=$(echo $DROPPED $TOTAL / p | dc)
+  LOSS=$(echo 4k $DROPPED $TOTAL / p | dc)
   echo "zeekdrop drop=$LOSS"
-fi
+fi
\ No newline at end of file