[
https://issues.apache.org/jira/browse/METRON-515?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15608639#comment-15608639
]
ASF GitHub Bot commented on METRON-515:
---------------------------------------
Github user merrimanr commented on the issue:
https://github.com/apache/incubator-metron/pull/324
Docs have been updated
> Stellar IS_EMPTY() function does not work as expected
> -----------------------------------------------------
>
> Key: METRON-515
> URL: https://issues.apache.org/jira/browse/METRON-515
> Project: Metron
> Issue Type: Bug
> Reporter: Ryan Merriman
> Assignee: Ryan Merriman
>
> The "IS_EMPTY" Stellar function is not giving the correct result in some
> cases. Consider the following enrichment config:
> {
> "index": "bro",
> "batchSize": 5,
> "enrichment" : {
> "fieldMap": {
> "geo": ["ip_dst_addr", "ip_src_addr"],
> "host": ["host"]
> }
> },
> "threatIntel": {
> "fieldMap": {
> "hbaseThreatIntel": ["ip_src_addr", "ip_dst_addr"]
> },
> "fieldToTypeMap": {
> "ip_src_addr" : ["malicious_ip"],
> "ip_dst_addr" : ["malicious_ip"]
> },
> "triageConfig" : {
> "riskLevelRules" : {
> "exists(ip_dst_addr)" : 0.10,
> "IS_EMPTY(rcode)" : 0.91,
> "exists(ip_dst_port)" : 0.20,
> "exists(ip_src_port)" : 0.30000000000
> },
> "aggregator" : "MAX",
> "aggregationConfig":
> {
> "NEGATIVE_VALUES_TRUMP_CONF" : "false"
> }
> }
> }
> }
> When a message with "rcode" = 0 is sent through the enrichment topology, the
> function incorrectly returns true and sets the threat triage value to 0.91.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
