You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@metron.apache.org by "Otto Fowler (JIRA)" <ji...@apache.org> on 2016/10/26 15:29:59 UTC

[jira] [Issue Comment Deleted] (METRON-515) Stellar IS_EMPTY() function does not work as expected

     [ https://issues.apache.org/jira/browse/METRON-515?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Otto Fowler updated METRON-515:
-------------------------------
    Comment: was deleted

(was: [~rmerriman] can you clarify what you mean?
Right now
No args passed = true
String or collection evaluated
Not string or collection = true

If you expect the integer 0 to not be true even though it is not a valid parameter then is the expectation what I have above?  Is your point that it is a 0?  I don't see how we can have an integer passed in and have it ever _be_ false.  If it is null then there is no are and it is true.  If it exists, it is not a valid parameter, unless we treat integer types specially as above.


)

> Stellar IS_EMPTY() function does not work as expected
> -----------------------------------------------------
>
>                 Key: METRON-515
>                 URL: https://issues.apache.org/jira/browse/METRON-515
>             Project: Metron
>          Issue Type: Bug
>            Reporter: Ryan Merriman
>            Assignee: Ryan Merriman
>
> The "IS_EMPTY" Stellar function is not giving the correct result in some cases.  Consider the following enrichment config:
> {
>   "index": "bro",
>   "batchSize": 5,
>   "enrichment" : {
>     "fieldMap": {
>       "geo": ["ip_dst_addr", "ip_src_addr"],
>       "host": ["host"]
>     }
>   },
>   "threatIntel": {
>     "fieldMap": {
>       "hbaseThreatIntel": ["ip_src_addr", "ip_dst_addr"]
>     },
>     "fieldToTypeMap": {
>       "ip_src_addr" : ["malicious_ip"],
>       "ip_dst_addr" : ["malicious_ip"]
> },
>     "triageConfig" : {
>       "riskLevelRules" : {
>         "exists(ip_dst_addr)" : 0.10,
>        	"IS_EMPTY(rcode)" : 0.91,
>        	"exists(ip_dst_port)" : 0.20,
>        	"exists(ip_src_port)" : 0.30000000000
>       },
>       "aggregator" : "MAX",
>        	"aggregationConfig":
>        	{
>        	"NEGATIVE_VALUES_TRUMP_CONF" : "false"
>        	}
>     }
>   }
> }
> When a message with "rcode" = 0 is sent through the enrichment topology, the function incorrectly returns true and sets the threat triage value to 0.91.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)