Thank you Vladimir. Before I go diving into making a lot of changes from the default, does anyone happen to recall why the colon was selected as the default? I'm curious if it works better for analysis in HDFS or Zeppelin?
Cheers, Tom. On 2020-02-02, 8:53 PM, "Vladimir Mikhailov" <[email protected]> wrote: Hi There is a parameter "fieldNameConverter" in the parser indexing configuration: fieldNameConverter "Defines how field names are transformed before being written to the index. Only applicable to elasticsearch. Defaults to DEDOT. Acceptable values are DEDOT that replaces all '.' with ':' or NOOP that does not change the field names." https://github.com/apache/metron/blob/master/metron-platform/metron-indexing/metron-indexing-common/README.md#sensor-indexing-configuration Usage example: "elasticsearch": { "batchSize": 100, "enabled": true, "index": "myindex", "fieldNameConverter": "NOOP" }, On 2020/02/01 00:00:04, "Yerex, Tom" <[email protected]> wrote: > Good afternoon, > > > > Our Metron installation uses colons in the field names. For example, geo ip enriched data appears as “enrichments:geo:ip_dst_addr:country”. Under Kibana (and from what I read Banana), the colon cannot be properly escaped for use with Timelion. > > > > My question: has anyone figured out a way to escape colons in their query or another work around in general? Is there a setting somewhere that can be used to change the default from a colon to a period or another character? > > > > Thank you, > > > > Tom. > > > >
smime.p7s
Description: S/MIME cryptographic signature
