You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@metron.apache.org by "Otto Fowler (JIRA)" <ji...@apache.org> on 2016/10/26 04:31:58 UTC
[jira] [Comment Edited] (METRON-515) Stellar IS_EMPTY() function
does not work as expected
[ https://issues.apache.org/jira/browse/METRON-515?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15607360#comment-15607360 ]
Otto Fowler edited comment on METRON-515 at 10/26/16 4:31 AM:
--------------------------------------------------------------
If that field is going to be an integer, IS_EMPTY may not be the write function to use. However, you could make an argument that EMPTY and 0 are logically the same thing... such that the logic should be:
IF IS COLLECTION
RETURN COLLECTION IS EMPTY
ELSE IF IS STRING
RETURN STRING IS EMPTY
ELSE IF IS INTEGER
RETURN INTEGER != ZERO
ELSE
RETURN TRUE
[~cestella]?
was (Author: ottobackwards):
If that field is going to be an integer, IS_EMPTY may not be the write function to use.
> Stellar IS_EMPTY() function does not work as expected
> -----------------------------------------------------
>
> Key: METRON-515
> URL: https://issues.apache.org/jira/browse/METRON-515
> Project: Metron
> Issue Type: Bug
> Reporter: Ryan Merriman
> Assignee: Ryan Merriman
>
> The "IS_EMPTY" Stellar function is not giving the correct result in some cases. Consider the following enrichment config:
> {
> "index": "bro",
> "batchSize": 5,
> "enrichment" : {
> "fieldMap": {
> "geo": ["ip_dst_addr", "ip_src_addr"],
> "host": ["host"]
> }
> },
> "threatIntel": {
> "fieldMap": {
> "hbaseThreatIntel": ["ip_src_addr", "ip_dst_addr"]
> },
> "fieldToTypeMap": {
> "ip_src_addr" : ["malicious_ip"],
> "ip_dst_addr" : ["malicious_ip"]
> },
> "triageConfig" : {
> "riskLevelRules" : {
> "exists(ip_dst_addr)" : 0.10,
> "IS_EMPTY(rcode)" : 0.91,
> "exists(ip_dst_port)" : 0.20,
> "exists(ip_src_port)" : 0.30000000000
> },
> "aggregator" : "MAX",
> "aggregationConfig":
> {
> "NEGATIVE_VALUES_TRUMP_CONF" : "false"
> }
> }
> }
> }
> When a message with "rcode" = 0 is sent through the enrichment topology, the function incorrectly returns true and sets the threat triage value to 0.91.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)