Merge pull request #2384 from Security-Onion-Solutions/fix/telegraf_stenoloss

make sure timestamp on steno log line has changed so we don't snapshot the drop%

salt/telegraf/scripts/stenoloss.sh

@@ -15,7 +15,6 @@
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 
-
 APP=stenoloss
 lf=/tmp/$APP-pidLockFile
 # create empty lock file if none exists
@@ -25,7 +24,22 @@ read lastPID < $lf
 [ ! -z "$lastPID" -a -d /proc/$lastPID ] && exit
 echo $$ > $lf
 
-# Get the data
-DROP=$(tac /var/log/stenographer/stenographer.log | grep -m1 drop | awk '{print $14}' | awk -F "=" '{print $2}')
+TSFILE=/var/log/telegraf/laststenodrop.log
+if [ -f "$TSFILE" ]; then
+    LASTTS=$(cat $TSFILE)
+else
+    LASTTS=0
+fi
 
-echo "stenodrop drop=$DROP"
+# Get the data
+LOGLINE=$(tac /var/log/stenographer/stenographer.log | grep -m1 drop)
+CURRENTTS=$(echo $LOGLINE | awk '{print $1}')
+
+if [[ "$CURRENTTS" != "$LASTTS" ]]; then
+  DROP=$(echo $LOGLINE | awk '{print $14}' | awk -F "=" '{print $2}')
+  echo $CURRENTTS > $TSFILE
+else
+  DROP=0
+fi
+
+echo "stenodrop drop=$DROP"