Sounds like a perfect opportunity to contribute a fix, or a test case for
the broken log types. I would suggest raising a JIRA, and even a PR.
Simon
On Thu, 1 Nov 2018 at 14:35, Muhammed Irshad wrote:
> Hi ,
>
> Seems string escaping is not handled in built in ISE parser. I am getting
> wired o
Hi ,
Seems string escaping is not handled in built in ISE parser. I am getting
wired output for some of the log from cisco ise collected via splunk. The
same issue is there for the test logs as well. PFA input string and output
json. Same issue is there for the unit test case messages as well.
--
You are welcome to join the palindromicity slack to discuss.
https://join.slack.com/t/palindromicity/shared_invite/enQtNDcxMDE4ODQ5NzAyLTY4ZTIzZWMyNTliZjE5ZjRkNzczZjY3MTAyYWFlYjY1ZjhiMDYxYTJhOGE4ODE3ZTA0MGViN2E5YTJhYjg3MTY
As is anyone.
On November 1, 2018 at 08:38:05, Muhammed Irshad (irshadkt.
Use the "Unified" enrichment topology rather than the legacy Split/Join.
You will see much better performance in many cases. You can toggle which
topology to use in Ambari under Metron > Config > Enrichment.
On Thu, Nov 1, 2018 at 3:15 AM Farrukh Naveed Anjum
wrote:
> Message was in the join
Thanks a lot Otto. That covers everything.
On Thu, Nov 1, 2018 at 5:16 PM Otto Fowler wrote:
> simple-syslog-5424 uses antlr4 instead of regex because I was unable to
> find or develop regex’s to single pass parse structured data. If you look
> around you’ll find that most platform’s support fo
simple-syslog-5424 uses antlr4 instead of regex because I was unable to
find or develop regex’s to single pass parse structured data. If you look
around you’ll find that most platform’s support for 5424 does not handle
structured data, and is implemented as regex. The legacy NiFi syslog
support,
Message was in the join cache too long which may be caused by slow
enrichments/threatintels. Increase the maxTimeRetain setting. at
org.apache.metron.enrichment.bolt.JoinBolt$
--
With Regards
Farrukh Naveed Anjum
