[jira] [Commented] (METRON-1010) Reorganize the bro elasticsearch template

Mon, 03 Jul 2017 12:34:22 -0700 

    [ 
https://issues.apache.org/jira/browse/METRON-1010?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16072841#comment-16072841
 ] 

Nick Allen commented on METRON-1010:
------------------------------------

My understanding is that you can also apply multiple templates to a single 
index 
(https://www.elastic.co/guide/en/elasticsearch/reference/2.1/indices-templates.html#multiple-templates).
  Elasticsearch does a deep merge of each template.   I am thinking we could 
get the advantages of using multiple templates, but also keep the  single index 
that we currently have.

> Reorganize the bro elasticsearch template
> -----------------------------------------
>
>                 Key: METRON-1010
>                 URL: https://issues.apache.org/jira/browse/METRON-1010
>             Project: Metron
>          Issue Type: Improvement
>    Affects Versions: Next + 1
>            Reporter: Jon Zeolla
>
> Right now, updates to the bro indexing template for ElasticsSearch are 
> somewhat confusing due to field name collisions across distinct bro logs.  I 
> see two possible approaches to make this simpler:
> *Option 1* - One template, with duplication, but still one bro index.
> We duplicate the field definitions under each log type's section 
> (distinguished by comments) to make it easier to add/remove bro log support 
> to the template, and makes ripping logs out into distinct indexes in the 
> future easier.
> Pros:  Doesn't require much refactoring of Metron because all bro logs are 
> still in the same place that they used to be, review of one bro log's 
> indexing details is more intuitive.
> Cons:  Changes to a field should be reflected everywhere that field exists in 
> the template.
> *Option 2* - Multiple templates, multiple bro indexes.
> Configure Metron to send each individual bro log into distinct indexes.  We 
> could continue to use the bro- preface, but we would still need to fix 
> dashboards, saved queries, etc.
> Pros:  1:1 mapping of a distinct field to an ES type, so type is always 
> accurate (unlike what we have currently, for details see 
> https://github.com/apache/metron/pull/586/files#diff-262becd0bb95e0520c42c30a857a343eR131).
> Cons:  Overall complexity of change.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

Reply via email to