Github user JonZeolla commented on a diff in the pull request:
https://github.com/apache/metron/pull/586#discussion_r123040458
--- Diff:
metron-deployment/packaging/ambari/metron-mpack/src/main/resources/common-services/METRON/CURRENT/package/files/bro_index.template
---
@@ -238,6 +238,538 @@
"qtype_name": {
"type": "string",
"index": "not_analyzed"
+ },
+ "analyzer": {
+ "type": "string",
+ "index": "not_analyzed"
+ },
+ "failure_reason": {
--- End diff --
Right, I considered both options, and implemented option 2 at one point,
but I removed the comments because of the field name collisions (i.e. two
separate bro logs with an overlapping field name). While reading through the
template, it was confusing that a given section wouldn't contain all of the
fields for a specific log, because they were addressed earlier in the template
under another log's section.
I would prefer to merge this in as-is, and address the collision problem
separately (at least, that was my intent). The first true solution that comes
to mind is to put the individual bro logs into distinct indexes, but then we
would need to change anywhere in Metron that touches bro data. I would prefer
to do that after METRON-939 (#619), if it gets merged.
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at [email protected] or file a JIRA ticket
with INFRA.
---
