[
https://issues.apache.org/jira/browse/METRON-1608?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16506260#comment-16506260
]
ASF GitHub Bot commented on METRON-1608:
----------------------------------------
Github user merrimanr commented on a diff in the pull request:
https://github.com/apache/metron/pull/1055#discussion_r194119445
--- Diff:
metron-interface/metron-rest/src/main/java/org/apache/metron/rest/service/impl/SearchServiceImpl.java
---
@@ -151,7 +152,7 @@ public GroupResponse group(GroupRequest groupRequest)
throws RestException {
String sourceTypeField = Constants.SENSOR_TYPE.replace('.', ':');
--- End diff --
This one is tricky. We can't just reference
ElasticsearchMetaAlertDao.SOURCE_TYPE because metron-elasticsearch is a runtime
dependency in metron-rest. The only other solution I can think of is to define
a second constant in Constants but I think that is confusing since it's
specific to ES. I remember @justinleet working through this in another, maybe
he can chime in.
> Add configuration for threat.triage.field name
> ----------------------------------------------
>
> Key: METRON-1608
> URL: https://issues.apache.org/jira/browse/METRON-1608
> Project: Metron
> Issue Type: Bug
> Reporter: Ryan Merriman
> Priority: Major
>
> Currently there is an option for replacing '.'s with ':'s in Elasticsearch
> field names. This is the default behavior. However our current version of
> Elasticsearch (5.6.2) now allows '.'s so it's possible for users to use '.'s
> instead. In the DAO implementation (metaalerts specifically), the
> threat.triage.field is hardcoded with ':'s and will not work properly if a
> user switches to using '.'s.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
