You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@metron.apache.org by Kyle Richardson <ky...@gmail.com> on 2017/04/09 18:26:47 UTC

Stellar field transformations cannot use input fields with dashes

So, I learned something the hard way today and thought I would share. I'm
sure most of you already knew this but here goes.

It turns out that, while you can use message field names with dashes in
them (e.g. cs-host) you cannot perform Stellar operations with them. In my
case, this was a field transformation but I'm assuming it would apply to
other uses of Stellar as well. Looking at it after the fact, it makes a lot
more sense, but it took me a while to realize that the dashes in the field
name were being treated as a minus in Stellar, thus returning zero for the
string operations I was trying to perform.

Example field transform config:
"fieldTransformations": [
  {
    "transformation": "STELLAR",
    "output": ["proto"],
    "config": {
      "proto": "TO_UPPER(cs-uri-scheme)"
    }
  }
]

Example message:
{
    "cs-host": "crl.microsoft.com",
    "cs-uri-scheme": "http",
    "s-action": "TCP_HIT",
    "timestamp": 1491759661030,
    "proto": "0"
    ...
}

My solution, change the field names to not contain dashes and everything
works as expected :).

Lesson learned; read the docs carefully. It clearly states in the README
that '-' is a reserved keyword. Sharing this to save someone else like me a
little time.

-Kyle