You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@metron.apache.org by "Otto Fowler (JIRA)" <ji...@apache.org> on 2016/10/26 04:31:58 UTC

[jira] [Comment Edited] (METRON-515) Stellar IS_EMPTY() function does not work as expected

    [ https://issues.apache.org/jira/browse/METRON-515?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15607360#comment-15607360 ] 

Otto Fowler edited comment on METRON-515 at 10/26/16 4:31 AM:
--------------------------------------------------------------

If that field is going to be an integer, IS_EMPTY may not be the write function to use.  However, you could make an argument that EMPTY and 0 are logically the same thing...  such that the logic should be: 

IF IS COLLECTION
    RETURN COLLECTION IS EMPTY
ELSE IF IS STRING
   RETURN STRING IS EMPTY
ELSE IF IS INTEGER
  RETURN INTEGER != ZERO
ELSE
  RETURN TRUE

[~cestella]?



was (Author: ottobackwards):
If that field is going to be an integer, IS_EMPTY may not be the write function to use.

> Stellar IS_EMPTY() function does not work as expected
> -----------------------------------------------------
>
>                 Key: METRON-515
>                 URL: https://issues.apache.org/jira/browse/METRON-515
>             Project: Metron
>          Issue Type: Bug
>            Reporter: Ryan Merriman
>            Assignee: Ryan Merriman
>
> The "IS_EMPTY" Stellar function is not giving the correct result in some cases.  Consider the following enrichment config:
> {
>   "index": "bro",
>   "batchSize": 5,
>   "enrichment" : {
>     "fieldMap": {
>       "geo": ["ip_dst_addr", "ip_src_addr"],
>       "host": ["host"]
>     }
>   },
>   "threatIntel": {
>     "fieldMap": {
>       "hbaseThreatIntel": ["ip_src_addr", "ip_dst_addr"]
>     },
>     "fieldToTypeMap": {
>       "ip_src_addr" : ["malicious_ip"],
>       "ip_dst_addr" : ["malicious_ip"]
> },
>     "triageConfig" : {
>       "riskLevelRules" : {
>         "exists(ip_dst_addr)" : 0.10,
>        	"IS_EMPTY(rcode)" : 0.91,
>        	"exists(ip_dst_port)" : 0.20,
>        	"exists(ip_src_port)" : 0.30000000000
>       },
>       "aggregator" : "MAX",
>        	"aggregationConfig":
>        	{
>        	"NEGATIVE_VALUES_TRUMP_CONF" : "false"
>        	}
>     }
>   }
> }
> When a message with "rcode" = 0 is sent through the enrichment topology, the function incorrectly returns true and sets the threat triage value to 0.91.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)