synapse 2.154.1__py311-none-any.whl → 2.156.0__py311-none-any.whl

synapse/lib/storm.lark

@@ -63,10 +63,10 @@ SETTAGOPER: "?"
 
 // The set of non-edit non-commands in storm
 
-_oper: stormfunc | initblock | finiblock | trycatch | subquery | _formpivot | formjoin | formpivotin
-     | formjoinin | opervarlist | setitem | setvar | vareval | filtoper
+_oper: stormfunc | initblock | emptyblock | finiblock | trycatch | subquery | _formpivot | formjoin
+     | formpivotin | formjoinin | opervarlist | setitem | setvar | vareval | filtoper
      | operrelprop | forloop | whileloop | switchcase | BREAK | CONTINUE | return | emit | stop
-     | _liftprop | ifstmt | yieldvalu | n1walk | n2walk | n1walknpivo | n2walknpivo | rawpivot
+     | _liftprop | ifstmt | yieldvalu | n1walk | n2walk | n1join | n2join | n1walknpivo | n2walknpivo | n1walknjoin | n2walknjoin | rawpivot
 
 BREAK.4: /break(?=[\s\}])/
 CONTINUE.4: /continue(?=[\s\}])/
@@ -106,6 +106,9 @@ yieldvalu: YIELD _argvalu
 _INIT.2: /init(?=[\s\{])/
 initblock: _INIT "{" query "}"
 
+_EMPTY.2: /empty(?=[\s\{])/
+emptyblock: _EMPTY "{" query "}"
+
 _FINI.2: /fini(?=[\s\{])/
 finiblock: _FINI "{" query "}"
 
@@ -148,7 +151,7 @@ rawpivot: _RIGHTPIVOT "{" query "}"
 _RIGHTJOIN.4:  "-+>"
 _LEFTJOIN.4:   "<+-"
 _RIGHTPIVOT.4: "->"
-_LEFTPIVOT.4:  "<-"
+_LEFTPIVOT.4:  /<\-[^0-9]/
 
 _liftprop: liftformtag | liftpropby | liftprop | liftbyarray
             | liftbytagprop | liftbyformtagprop | liftbytag | lifttagtag
@@ -163,20 +166,33 @@ n1walk: _EDGEN1INIT (walklist | varlist | _varvalu | relpropvalu | univpropvalu
 
 n2walk: _EDGEN2INIT _valu _EDGEN2FINI _wildprops [ _cmpr _valu ]
 
+n1join: _EDGEN1INIT (walklist | varlist | _varvalu | relpropvalu | univpropvalu | tagvalu | tagpropvalu | TRIPLEQUOTEDSTRING | formatstring | VARTOKN | embedquery | baresubquery | NONQUOTEWORD | ABSPROPNOUNIV) _EDGEN1JOINFINI _wildprops [ _cmpr _valu ]
+
+n2join: _EDGEN2JOININIT _valu _EDGEN2FINI _wildprops [ _cmpr _valu ]
+
 walklist: ("(" (_varvalu | relpropvalu | univpropvalu | tagvalu | tagpropvalu | TRIPLEQUOTEDSTRING | formatstring | VARTOKN | NONQUOTEWORD | ABSPROP) ((",")|("," (_varvalu | relpropvalu | univpropvalu | tagvalu | tagpropvalu | TRIPLEQUOTEDSTRING | formatstring | VARTOKN | NONQUOTEWORD | ABSPROP))+ ","?) ")") -> valulist
 
+_WALKNJOINN1.4: "--+>"
+_WALKNJOINN2.4: "<+--"
+
 _WALKNPIVON1.4: "-->"
 _WALKNPIVON2.4: "<--"
 
 n1walknpivo: _WALKNPIVON1 "*"
 n2walknpivo: _WALKNPIVON2 "*"
 
+n1walknjoin: _WALKNJOINN1 "*"
+n2walknjoin: _WALKNJOINN2 "*"
+
 _EDGEADDN1INIT.2: "+("
 _EDGEN1INIT.2: "-("
 _EDGEN1FINI: ")>"
 _EDGEADDN2FINI: ")+"
 _EDGEN2FINI: ")-"
 
+_EDGEN1JOINFINI: ")+>"
+_EDGEN2JOININIT: "<+("
+
 // Regex to check for a matching ')-' or ')+' so we can avoid incorrectly matching
 // comparisons to an expression like '<(2)'
 _EDGEN2INIT: /\<\((?=(?>(?<EDGEN2INITRECUR>\(((?>[^()"'`]+|(?&EDGEN2INITRECUR)|`(?:[^`\\]|\\.)*`|"(?:[^"\\]|\\.)*"|'''.*?'''|'[^']*'(?!'))*)\))|'''.*?'''|`(?:[^`\\]|\\.)*`|"(?:[^"\\]|\\.)*"|'[^']*'(?!')|[^)])*\)[\-\+])/
@@ -214,7 +230,7 @@ stormcmdargs: _stormcmdarg
 _stormcmdarg: _stormcmdarg? ((CMDOPT (EQNOSPACE (argvquery | _argvalu | wordtokn))?) | argvquery | _argvalu | wordtokn)
 
 // The name of a storm command
-CMDNAME.2: /(?!(init|fini|function|return|emit|stop|yield|break|continue|for|while|switch|else|elif|if|not|or|and|try|catch|as|reverse)\b)[a-z][a-z0-9.]+(?=[\s\|\}]|$)/
+CMDNAME.2: /(?!(init|empty|fini|function|return|emit|stop|yield|break|continue|for|while|switch|else|elif|if|not|or|and|try|catch|as|reverse)\b)[a-z][a-z0-9.]+(?=[\s\|\}]|$)/
 
 CMDOPT.4: /(?<=\s)-[a-zA-Z0-9_-]+(?![:a-zA-Z0-9_><-])/
 
@@ -258,8 +274,9 @@ _MATCHHASHWILD.3: /\#
             <\(
             (?=(?>(?<N2MATCHRECUR>\(((?>[^()"'`]+|(?&N2MATCHRECUR)|`(?:[^`\\]|\\.)*`|"(?:[^"\\]|\\.)*"|'''.*?'''|'[^']*'(?!'))*)\))|'''.*?'''|`(?:[^`\\]|\\.)*`|"(?:[^"\\]|\\.)*"|'[^']*'(?!')|[^)])*\)-
             )
+            | <(\+|-[^0-9])                          # avoid matching joins or pivots
         )
-        [@?!<>^~=]+                                # match any cmprs (regex fail)
+        [@?!<>^~=]+                                  # match any cmprs (regex fail)
     )
 )
 /x

synapse/lib/storm.py

@@ -2141,7 +2141,21 @@ class Runtime(s_base.Base):
 
     def confirm(self, perms, gateiden=None, default=None):
         '''
-        Raise AuthDeny if user doesn't have global permissions and write layer permissions
+        Raise AuthDeny if the user doesn't have the permission.
+
+        Notes:
+            An elevated runtime with asroot=True will always return True.
+
+        Args:
+            perms (tuple): The permission tuple.
+            gateiden (str): The gateiden.
+            default (bool): The default value.
+
+        Returns:
+            True: If the permission is allowed.
+
+        Raises:
+            AuthDeny: If the user does not have the permission.
         '''
         if self.asroot:
             return
@@ -4598,22 +4612,6 @@ class ReIndexCmd(Cmd):
         if False:
             yield
 
-class SudoCmd(Cmd):
-    '''
-    Deprecated sudo command.
-
-    Left in for 2.x.x so that Storm command with it are still valid to execute.
-    '''
-    name = 'sudo'
-
-    async def execStormCmd(self, runt, genr):
-
-        s_common.deprdate('storm command: sudo', s_common._splicedepr)
-
-        await runt.snap.warn(f'sudo command is deprecated and will be removed on {s_common._splicedepr}')
-        async for node, path in genr:
-            yield node, path
-
 class MoveTagCmd(Cmd):
     '''
     Rename an entire tag tree and preserve time intervals.
@@ -4881,7 +4879,7 @@ class GraphCmd(Cmd):
             inet:fqdn | graph
                         --degrees 2
                         --filter { -#nope }
-                        --pivot { <- meta:seen <- meta:source }
+                        --pivot { -> meta:seen }
                         --form-pivot inet:fqdn {<- * | limit 20}
                         --form-pivot inet:fqdn {-> * | limit 20}
                         --form-filter inet:fqdn {-inet:fqdn:issuffix=1}
@@ -5463,327 +5461,6 @@ class ScrapeCmd(Cmd):
                     if self.opts.doyield:
                         yield addnode, runt.initPath(addnode)
 
-class SpliceListCmd(Cmd):
-    '''
-    Deprecated command to retrieve a list of splices backwards from the end of the splicelog.
-
-    Examples:
-
-        # Show the last 10 splices.
-        splice.list | limit 10
-
-        # Show splices after a specific time.
-        splice.list --mintime "2020/01/06 15:38:10.991"
-
-        # Show splices from a specific timeframe.
-        splice.list --mintimestamp 1578422719360 --maxtimestamp 1578422719367
-
-    Notes:
-
-        If both a time string and timestamp value are provided for a min or max,
-        the timestamp will take precedence over the time string value.
-    '''
-
-    name = 'splice.list'
-    readonly = True
-
-    def getArgParser(self):
-        pars = Cmd.getArgParser(self)
-
-        pars.add_argument('--maxtimestamp', type='int', default=None,
-                          help='Only yield splices which occurred on or before this timestamp.')
-        pars.add_argument('--mintimestamp', type='int', default=None,
-                          help='Only yield splices which occurred on or after this timestamp.')
-        pars.add_argument('--maxtime', type='str', default=None,
-                          help='Only yield splices which occurred on or before this time.')
-        pars.add_argument('--mintime', type='str', default=None,
-                          help='Only yield splices which occurred on or after this time.')
-
-        return pars
-
-    async def execStormCmd(self, runt, genr):
-
-        s_common.deprdate('storm command: splice.list', s_common._splicedepr)
-
-        mesg = f'splice.list is deprecated and will be removed on {s_common._splicedepr}'
-        await runt.snap.warn(mesg)
-
-        maxtime = None
-        if self.opts.maxtimestamp:
-            maxtime = self.opts.maxtimestamp
-        elif self.opts.maxtime:
-            try:
-                maxtime = s_time.parse(self.opts.maxtime, chop=True)
-            except s_exc.BadTypeValu as e:
-                mesg = f'Error during maxtime parsing - {str(e)}'
-
-                raise s_exc.StormRuntimeError(mesg=mesg, valu=self.opts.maxtime) from None
-
-        mintime = None
-        if self.opts.mintimestamp:
-            mintime = self.opts.mintimestamp
-        elif self.opts.mintime:
-            try:
-                mintime = s_time.parse(self.opts.mintime, chop=True)
-            except s_exc.BadTypeValu as e:
-                mesg = f'Error during mintime parsing - {str(e)}'
-
-                raise s_exc.StormRuntimeError(mesg=mesg, valu=self.opts.mintime) from None
-
-        i = 0
-
-        async for splice in runt.snap.core.spliceHistory(runt.user):
-
-            splicetime = splice[1].get('time')
-            if splicetime is None:
-                splicetime = 0
-
-            if maxtime and maxtime < splicetime:
-                continue
-
-            if mintime and mintime > splicetime:
-                return
-
-            guid = s_common.guid(splice)
-
-            buid = s_common.buid(splice[1]['ndef'])
-            iden = s_common.ehex(buid)
-
-            props = {'.created': s_common.now(),
-                     'splice': splice,
-                     'type': splice[0],
-                     'iden': iden,
-                     'form': splice[1]['ndef'][0],
-                     'time': splicetime,
-                     'user': splice[1].get('user'),
-                     'prov': splice[1].get('prov'),
-                     }
-
-            prop = splice[1].get('prop')
-            if prop:
-                props['prop'] = prop
-
-            tag = splice[1].get('tag')
-            if tag:
-                props['tag'] = tag
-
-            if 'valu' in splice[1]:
-                props['valu'] = splice[1]['valu']
-            elif splice[0] == 'node:del':
-                props['valu'] = splice[1]['ndef'][1]
-
-            if 'oldv' in splice[1]:
-                props['oldv'] = splice[1]['oldv']
-
-            fullnode = (buid, {
-                'ndef': ('syn:splice', guid),
-                'tags': {},
-                'props': props,
-                'tagprops': {},
-            })
-
-            node = s_node.Node(runt.snap, fullnode)
-
-            yield (node, runt.initPath(node))
-
-            i += 1
-            # Yield to other tasks occasionally
-            if not i % 1000:
-                await asyncio.sleep(0)
-
-class SpliceUndoCmd(Cmd):
-    '''
-    Deprecated command to reverse the actions of syn:splice runt nodes.
-
-    Examples:
-
-        # Undo the last 5 splices.
-        splice.list | limit 5 | splice.undo
-
-        # Undo splices after a specific time.
-        splice.list --mintime "2020/01/06 15:38:10.991" | splice.undo
-
-        # Undo splices from a specific timeframe.
-        splice.list --mintimestamp 1578422719360 --maxtimestamp 1578422719367 | splice.undo
-    '''
-
-    name = 'splice.undo'
-
-    def __init__(self, runt, runtsafe):
-        self.undo = {
-            'prop:set': self.undoPropSet,
-            'prop:del': self.undoPropDel,
-            'node:add': self.undoNodeAdd,
-            'node:del': self.undoNodeDel,
-            'tag:add': self.undoTagAdd,
-            'tag:del': self.undoTagDel,
-            'tag:prop:set': self.undoTagPropSet,
-            'tag:prop:del': self.undoTagPropDel,
-        }
-        Cmd.__init__(self, runt, runtsafe)
-
-    def getArgParser(self):
-        pars = Cmd.getArgParser(self)
-        forcehelp = 'Force delete nodes even if it causes broken references (requires admin).'
-        pars.add_argument('--force', default=False, action='store_true', help=forcehelp)
-        return pars
-
-    async def undoPropSet(self, runt, splice, node):
-
-        name = splice.props.get('prop')
-        if name == '.created':
-            return
-
-        if node:
-            prop = node.form.props.get(name)
-            if prop is None:  # pragma: no cover
-                mesg = f'No property named {name}.'
-                raise s_exc.NoSuchProp(mesg=mesg, name=name, form=node.form.name)
-
-            oldv = splice.props.get('oldv')
-            if oldv is not None:
-                runt.layerConfirm(('node', 'prop', 'set', prop.full))
-                await node.set(name, oldv)
-            else:
-                runt.layerConfirm(('node', 'prop', 'del', prop.full))
-                await node.pop(name)
-
-    async def undoPropDel(self, runt, splice, node):
-
-        name = splice.props.get('prop')
-        if name == '.created':
-            return
-
-        if node:
-            prop = node.form.props.get(name)
-            if prop is None:  # pragma: no cover
-                mesg = f'No property named {name}.'
-                raise s_exc.NoSuchProp(mesg=mesg, name=name, form=node.form.name)
-
-            valu = splice.props.get('valu')
-
-            runt.layerConfirm(('node', 'prop', 'set', prop.full))
-            await node.set(name, valu)
-
-    async def undoNodeAdd(self, runt, splice, node):
-
-        if node:
-            for tag in node.tags.keys():
-                runt.layerConfirm(('node', 'tag', 'del', *tag.split('.')))
-
-            runt.layerConfirm(('node', 'del', node.form.name))
-            await node.delete(force=self.opts.force)
-
-    async def undoNodeDel(self, runt, splice, node):
-
-        if node is None:
-            form = splice.props.get('form')
-            valu = splice.props.get('valu')
-
-            if form and (valu is not None):
-                runt.layerConfirm(('node', 'add', form))
-                await runt.snap.addNode(form, valu)
-
-    async def undoTagAdd(self, runt, splice, node):
-
-        if node:
-            tag = splice.props.get('tag')
-            parts = tag.split('.')
-            runt.layerConfirm(('node', 'tag', 'del', *parts))
-
-            await node.delTag(tag)
-
-            oldv = splice.props.get('oldv')
-            if oldv is not None:
-                runt.layerConfirm(('node', 'tag', 'add', *parts))
-                await node.addTag(tag, valu=oldv)
-
-    async def undoTagDel(self, runt, splice, node):
-
-        if node:
-            tag = splice.props.get('tag')
-            parts = tag.split('.')
-            runt.layerConfirm(('node', 'tag', 'add', *parts))
-
-            valu = splice.props.get('valu')
-            if valu is not None:
-                await node.addTag(tag, valu=valu)
-
-    async def undoTagPropSet(self, runt, splice, node):
-
-        if node:
-            tag = splice.props.get('tag')
-            parts = tag.split('.')
-
-            prop = splice.props.get('prop')
-
-            oldv = splice.props.get('oldv')
-            if oldv is not None:
-                runt.layerConfirm(('node', 'tag', 'add', *parts))
-                await node.setTagProp(tag, prop, oldv)
-            else:
-                runt.layerConfirm(('node', 'tag', 'del', *parts))
-                await node.delTagProp(tag, prop)
-
-    async def undoTagPropDel(self, runt, splice, node):
-
-        if node:
-            tag = splice.props.get('tag')
-            parts = tag.split('.')
-            runt.layerConfirm(('node', 'tag', 'add', *parts))
-
-            prop = splice.props.get('prop')
-
-            valu = splice.props.get('valu')
-            if valu is not None:
-                await node.setTagProp(tag, prop, valu)
-
-    async def execStormCmd(self, runt, genr):
-
-        s_common.deprdate('storm command: splice.undo', s_common._splicedepr)
-
-        mesg = f'splice.undo is deprecated and will be removed on {s_common._splicedepr}'
-        await runt.snap.warn(mesg)
-
-        if self.opts.force:
-            if not runt.user.isAdmin():
-                mesg = '--force requires admin privs.'
-                raise s_exc.AuthDeny(mesg=mesg)
-
-        i = 0
-
-        async for node, path in genr:
-
-            if not node.form.name == 'syn:splice':
-                mesg = 'splice.undo only accepts syn:splice nodes'
-                raise s_exc.StormRuntimeError(mesg=mesg, form=node.form.name)
-
-            if False:  # make this method an async generator function
-                yield None
-
-            splicetype = node.props.get('type')
-
-            if splicetype in self.undo:
-
-                iden = node.props.get('iden')
-                if iden is None:
-                    continue
-
-                buid = s_common.uhex(iden)
-                if len(buid) != 32:
-                    raise s_exc.NoSuchIden(mesg='Iden must be 32 bytes', iden=iden)
-
-                splicednode = await runt.snap.getNodeByBuid(buid)
-
-                await self.undo[splicetype](runt, node, splicednode)
-            else:
-                raise s_exc.StormRuntimeError(mesg='Unknown splice type.', splicetype=splicetype)
-
-            i += 1
-            # Yield to other tasks occasionally
-            if not i % 1000:
-                await asyncio.sleep(0)
-
 class LiftByVerb(Cmd):
     '''
     Lift nodes from the current view by an light edge verb.

synapse/lib/storm_format.py

@@ -95,9 +95,12 @@ TerminalPygMap = {
     '_EDGEN1INIT': p_t.Punctuation,
     '_EDGEN2INIT': p_t.Punctuation,
     '_EDGEN2FINI': p_t.Punctuation,
+    '_EDGEN1JOINFINI': p_t.Punctuation,
+    '_EDGEN2JOININIT': p_t.Punctuation,
     '_ELSE': p_t.Keyword,
     '_EMBEDQUERYSTART': p_t.Punctuation,
     '_EMIT': p_t.Keyword,
+    '_EMPTY': p_t.Keyword,
     '_EXPRCOLONNOSPACE': p_t.Punctuation,
     '_FINI': p_t.Keyword,
     '_HASH': p_t.Punctuation,
@@ -113,6 +116,8 @@ TerminalPygMap = {
     '_RIGHTJOIN': p_t.Punctuation,
     '_RIGHTPIVOT': p_t.Punctuation,
     '_STOP': p_t.Keyword,
+    '_WALKNJOINN1': p_t.Punctuation,
+    '_WALKNJOINN2': p_t.Punctuation,
     '_WALKNPIVON1': p_t.Punctuation,
     '_WALKNPIVON2': p_t.Punctuation,
     '$END': p_t.Punctuation,

synapse/lib/stormhttp.py

@@ -417,7 +417,16 @@ class LibHttp(s_stormtypes.Lib):
                     data = self._buildFormData(fields)
                 else:
                     data = body
-                async with sess.request(meth, url, headers=headers, json=json, data=data, **kwargs) as resp:
+
+                # `data` and `json` are passed in kwargs only if they are not
+                # None because of a weird interaction with aiohttp and vcrpy.
+                if data is not None:
+                    kwargs['data'] = data
+
+                if json is not None:
+                    kwargs['json'] = json
+
+                async with sess.request(meth, url, headers=headers, **kwargs) as resp:
                     info = {
                         'code': resp.status,
                         'reason': await self.codereason(resp.status),

synapse/lib/stormlib/gen.py

@@ -467,8 +467,7 @@ stormcmds = (
     {
         'name': 'gen.pol.country.government',
         'descr': '''
-            Lift (or create) the ou:org node representing a country's
-            government based on the 2 letter ISO-3166 country code.
+            Lift (or create) the ou:org node representing a country's government based on the 2 letter ISO-3166 country code.
 
             Examples:
 

synapse/lib/stormlib/gis.py

@@ -0,0 +1,41 @@
+import synapse.exc as s_exc
+
+import synapse.lib.gis as s_gis
+import synapse.lib.stormtypes as s_stormtypes
+
+@s_stormtypes.registry.registerLib
+class GisLib(s_stormtypes.Lib):
+    '''
+    A Storm library which implements helpers for earth based geospatial calculations.
+    '''
+    _storm_locals = (
+        {'name': 'bbox', 'desc': 'Calculate a min/max bounding box for the specified circle.',
+         'type': {'type': 'function', '_funcname': '_methBbox',
+                  'args': (
+                      {'name': 'lon', 'type': 'float', 'desc': 'The longitude in degrees.'},
+                      {'name': 'lat', 'type': 'float', 'desc': 'The latitude in degrees.'},
+                      {'name': 'dist', 'type': 'int', 'desc': 'A distance in geo:dist base units (mm).'},
+                  ),
+                  'returns': {'type': 'list', 'desc': 'A tuple of (lonmin, lonmax, latmin, latmax).', }
+        }},
+    )
+    _storm_lib_path = ('gis',)
+
+    def getObjLocals(self):
+        return {
+            'bbox': self._methBbox,
+        }
+
+    @s_stormtypes.stormfunc(readonly=True)
+    async def _methBbox(self, lon, lat, dist):
+        try:
+            lon = float(await s_stormtypes.toprim(lon))
+            lat = float(await s_stormtypes.toprim(lat))
+            dist = await s_stormtypes.toint(dist)
+        except ValueError as e:
+            raise s_exc.BadArg(mesg=f'$lib.gis.bbox(): {e}')
+        except s_exc.BadCast as e:
+            raise s_exc.BadArg(mesg=f'$lib.gis.bbox(): {e.get("mesg")}')
+
+        (latmin, latmax, lonmin, lonmax) = s_gis.bbox(lat, lon, dist)
+        return (lonmin, lonmax, latmin, latmax)

synapse/lib/stormlib/graph.py

@@ -20,6 +20,7 @@ gdefSchema = {
         'updated': {'type': 'number'},
         'refs': {'type': 'boolean', 'default': False},
         'edges': {'type': 'boolean', 'default': True},
+        'edgelimit': {'type': 'number', 'default': 3000},
         'degrees': {'type': ['integer', 'null'], 'minimum': 0},
         'filterinput': {'type': 'boolean', 'default': True},
         'yieldfiltered': {'type': 'boolean', 'default': False},
@@ -96,7 +97,7 @@ class GraphLib(s_stormtypes.Lib):
                         "name": "Test Projection",
                         "desc": "My test projection",
                         "degrees": 2,
-                        "pivots": ["<- meta:seen <- meta:source"],
+                        "pivots": ["-> meta:seen"],
                         "filters": ["-#nope"],
                         "forms": {
                             "inet:fqdn": {

synapse/lib/stormlib/stats.py

@@ -41,6 +41,8 @@ class StatsCountByCmd(s_storm.Cmd):
                           help='Maximum width of the labels to display.')
         pars.add_argument('--yield', default=False, action='store_true',
                           dest='yieldnodes', help='Yield inbound nodes.')
+        pars.add_argument('--by-name', default=False, action='store_true',
+                          help='Print stats sorted by name instead of count.')
         return pars
 
     async def execStormCmd(self, runt, genr):
@@ -55,6 +57,8 @@ class StatsCountByCmd(s_storm.Cmd):
             mesg = f'Value for --bar-width must be >= 0, got: {barwidth}'
             raise s_exc.BadArg(mesg=mesg)
 
+        byname = await s_stormtypes.tobool(self.opts.by_name)
+
         counts = collections.defaultdict(int)
 
         usenode = self.opts.valu is s_common.novalu
@@ -78,9 +82,24 @@ class StatsCountByCmd(s_storm.Cmd):
             await runt.printf('No values to display!')
             return
 
-        values = list(sorted(counts.items(), key=lambda x: x[1]))
+        if byname:
+            # Try to sort numerically instead of lexicographically
+            def coerce(indx):
+                def wrapped(valu):
+                    valu = valu[indx]
+                    try:
+                        return int(valu)
+                    except ValueError:
+                        return valu
+                return wrapped
+
+            values = list(sorted(counts.items(), key=coerce(0)))
+            maxv = max(val[1] for val in values)
+
+        else:
+            values = list(sorted(counts.items(), key=lambda x: x[1]))
+            maxv = values[-1][1]
 
-        maxv = values[-1][1]
         size = await s_stormtypes.toint(self.opts.size, noneok=True)
         char = (await s_stormtypes.tostr(self.opts.char))[0]
         reverse = self.opts.reverse

synapse/lib/stormlib/storm.py

@@ -1,14 +1,25 @@
+import logging
+
 import synapse.exc as s_exc
 
 import synapse.lib.stormtypes as s_stormtypes
 
+evaldesc = '''\
+Evaluate a storm runtime value and optionally cast/coerce it.
+
+NOTE: If storm logging is enabled, the expression being evaluated will be logged
+separately.
+'''
+
+stormlogger = logging.getLogger('synapse.storm')
+
 @s_stormtypes.registry.registerLib
 class LibStorm(s_stormtypes.Lib):
     '''
     A Storm library for evaluating dynamic storm expressions.
     '''
     _storm_locals = (
-        {'name': 'eval', 'desc': 'Evaluate a storm runtime value and optionally cast/coerce it.',
+        {'name': 'eval', 'desc': evaldesc,
          'type': {'type': 'function', '_funcname': '_evalStorm',
                   'args': (
                       {'name': 'text', 'type': 'str', 'desc': 'A storm expression string.'},
@@ -29,6 +40,10 @@ class LibStorm(s_stormtypes.Lib):
         text = await s_stormtypes.tostr(text)
         cast = await s_stormtypes.tostr(cast, noneok=True)
 
+        if self.runt.snap.core.stormlog:
+            extra = await self.runt.snap.core.getLogExtra(text=text)
+            stormlogger.info(f'Executing storm query via $lib.storm.eval() {{{text}}} as [{self.runt.user.name}]', extra=extra)
+
         casttype = None
         if cast: