Mar 27, 2026 - For details about updated CVE-2025-53521 (BIG-IP APM vulnerability), refer to K000156741.

Forum Discussion

ebeng_278441's avatar
ebeng_278441
Icon for Altocumulus rankAltocumulus
Aug 31, 2016

Log the count of the STREAM hits

I'm trying to figure out how it will be possible, how many times a STREAM::expression is being executed. when HTTP_RESPONSE { if { $http_host equals "avv.com" or $http_host equals "acc...
application delivery
irules
stream
stream exp
syslog
Kai_Wilke's avatar
Kai_Wilke
Icon for MVP rankMVP
Sep 01, 2016

Hi Ebeng,

you can count the individual 

[STREAM::expression]
hits using the 
STREAM_MATCHED
event. But its not that easy to accumulate the total hit numbers, since STREAM happens after the 
HTTP_RESPONSE_RELEASE
event. You have to accumulate the hit numbers either on the very next 
HTTP_REQUEST
(if keep-alive is used) or on 
CLIENT_CLOSE
.

You may take a look to the iRule below. It will count the individual STREAM hits and finally accumulate the results.

when STREAM_MATCHED {
    set stream_result(path) $http_path
    if { [info exists stream_result(Pattern:[STREAM::match])] } then {
        incr stream_result(Pattern:[STREAM::match]) 
    } else {
        set stream_result(Pattern:[STREAM::match]) 1
    }
}
when HTTP_REQUEST {
    set http_path [HTTP::path]
    if { [info exists stream_result(path)] } then {
        set stream_result(match_total) 0
        log local0.debug "Debug [array names stream_result Pattern:*]"
        foreach stream_result(pattern) [array names stream_result Pattern:*] {
            incr stream_result(match_total) $stream_result($stream_result(pattern))
            append stream_result(match_detailed) "( $stream_result(pattern) = $stream_result($stream_result(pattern)) | "
        }
        log local0.debug "STREAM hits on URL $stream_result(path):  $stream_result(match_total) [string trimright $stream_result(match_detailed) " |"] )"
        unset -nocomplain stream_result
    }
}
when CLIENT_CLOSED {
    if { [info exists stream_result(path)] } then {
        set stream_result(match_total) 0
        log local0.debug "Debug [array names stream_result Pattern:*]"
        foreach stream_result(pattern) [array names stream_result Pattern:*] {
            incr stream_result(match_total) $stream_result($stream_result(pattern))
            append stream_result(match_detailed) "( $stream_result(pattern) = $stream_result($stream_result(pattern)) | "
        }
        log local0.debug "STREAM hits on URL $stream_result(path):  $stream_result(match_total) [string trimright $stream_result(match_detailed) " |"] )"
        unset -nocomplain stream_result
    }
}

Note: Keep in mind, that you can't specify multiple STREAM::expression during HTTP_RESPONSE. But you can combine multiple expression into a single STREAM::expression (e.g. 

STREAM::expression "@aa@bb@@rr@ff@@gg@qaqa@")

Cheers, Kai