You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@nifi.apache.org by "ASF subversion and git services (JIRA)" <ji...@apache.org> on 2019/03/20 18:28:00 UTC

[jira] [Commented] (NIFI-4735) ParseEVTX only outputs one event per chunk

    [ https://issues.apache.org/jira/browse/NIFI-4735?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16797418#comment-16797418 ] 

ASF subversion and git services commented on NIFI-4735:
-------------------------------------------------------

Commit 48a6c81fa261339c645773a3124ce0ee351346c4 in nifi's branch refs/heads/master from Ferenc Szabó
[ https://gitbox.apache.org/repos/asf?p=nifi.git;h=48a6c81 ]

NIFI-4735: ParseEVTX only outputs one event per chunk

This change is based on https://github.com/apache/nifi/pull/2489

I have reproduced the issue with some additional test cases and test files then applied the original fix.

commit message from the original change:
Updated the EVTX FileHeader class to correctly check if there are more chunks in the file. Previously this would not process the last chunk.

Updated the EVTX ChunkHeader class to correctly check if there are additional records in the chunk. Previously this would only process the first record of each chunk. It was using the fileLastRecordNumber where it should have been using the logLastRecordNumber value.

Updated the EVTX unit tests to have the correct expected number of events and use the logLastRecordNumber.

refactoring duplicated code and magic numbers

Signed-off-by: Matthew Burgess <ma...@apache.org>

This closes #2489
This closes #3379


> ParseEVTX only outputs one event per chunk
> ------------------------------------------
>
>                 Key: NIFI-4735
>                 URL: https://issues.apache.org/jira/browse/NIFI-4735
>             Project: Apache NiFi
>          Issue Type: Bug
>          Components: Extensions
>            Reporter: Terry Brugger
>            Priority: Major
>         Attachments: EVTX2XML.xml, Screen Shot 2018-01-03 at 15.06.24.png
>
>          Time Spent: 0.5h
>  Remaining Estimate: 0h
>
> I have constructed a simple pipeline that reads a Windows EVTX binary file, runs it through ParseEvtx, and writes out the result (template attached). As a sample I fed it a 192MiB file and it only output 3.3MiB (see screenshot). The output file contains 3071 events. Not coincidentally, I am sure, 192MiB/64KiB = 3072, which would indicate that it only wrote out one event from each chunk. If I configure the processor to output by the chunk or event I get 3071 separate files with one event each. Unfortunately, I have no way to sanitize binary EVTX so I cannot provide the actual file used.
> By way of comparison, I ran the same EVTX file through evtx_dump.py from the python-evtx package (which I understand ParseEvtx was based on) and it produced 395,757 events -- on par with what I would expect. It also took much longer than NiFi -- like 30 minutes versus a few seconds -- which I also expect is consistent with processing the entire file.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)