Thank you Nick! As near as I can tell we have a working implementation, now I need to put together test data to validate everything.
Cheers, Tom. From: Nick Allen <[email protected]> Reply-To: "[email protected]" <[email protected]> Date: Friday, November 1, 2019 at 11:02 AM To: "[email protected]" <[email protected]> Subject: Re: Fields with a period/dot in the name Hi Tom - > In the case of Metron, should we be modifying the field names to replace > dots? Can the Metron STELLAR language handle a field name with a dot in it, > or are there any special steps required such as surrounding event fields with > single or double-quotes in order to properly handle those field names? I cannot think of any facilities within Metron itself that would have difficulties with periods in field names. > I noticed that our fields names arrive with a period in the name, for example > "client.ip" and "user.id"... Our internal naming convention is intended to > align the data ingestion solution with the Elasticsearch Common Schema. From > experience, working with those dots in Elasticsearch is a challenge You can use Metron to translate the field names however you like. For example, replace "client.ip" with "client_ip". There are some examples of this in the Parsers documentation here [1]. Looks under the section "fieldTransformation configuration". --- [1] https://metron.apache.org/current-book/metron-platform/metron-parsers/index.html On Fri, Nov 1, 2019 at 1:21 PM Yerex, Tom <[email protected]> wrote: Good day to everyone. I'm working on our own variation of the Geographic Login Outliers use case (https://metron.apache.org/current-book/use-cases/geographic_login_outliers/index.html). I noticed that our fields names arrive with a period in the name, for example "client.ip" and "user.id". Our internal naming convention is intended to align the data ingestion solution with the Elasticsearch Common Schema. From experience, working with those dots in Elasticsearch is a challenge and it raises the question if we need to handle field names with a dot in a different matter in Metron. In the case of Metron, should we be modifying the field names to replace dots? Can the Metron STELLAR language handle a field name with a dot in it, or are there any special steps required such as surrounding event fields with single or double-quotes in order to properly handle those field names? Thank you, Tom.
smime.p7s
Description: S/MIME cryptographic signature
