Github user JonZeolla commented on a diff in the pull request:
https://github.com/apache/incubator-metron/pull/503#discussion_r109411418
--- Diff: metron-deployment/roles/sensor-stubs/templates/start-bro-stub ---
@@ -47,8 +47,8 @@ TOPIC="bro"
while true; do
# transform the bro timestamp and push to kafka
- SEARCH="\"ts\"\:[0-9]\+.[0-9]\{6\}"
- REPLACE="\"ts\"\:`date +%s`.000000"
+ SEARCH="\"ts\"\:[0-9]\+\."
+ REPLACE="\"ts\"\:`date +%s`\."
--- End diff --
Bro timestamps are often out of order depending on the log because some
lines are written when the connection ends and others are written when an event
within a connection occurs. As such, timestamps can be confusing to look at
initially, but it is very normal for them not to be in order. Also, we are
already breaking any sort ordering by randomly selecting logs from bro.out and
replacing the timestamps with the current timestamp, so I'm not concerned with
my changes causing any more of a headache than flattening the decimal places
with 0s.
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---
