The ES indexer replaces periods, I believe. Are you seeing periods hit Elasticsearch?
And architecturally that kind of logic should be done in the indexers anyways. On Tue, May 9, 2017 at 9:41 AM, zeo...@gmail.com <zeo...@gmail.com> wrote: > Is there a reason why the bro parser allows periods > <https://github.com/apache/incubator-metron/blob/master/ > metron-platform/metron-parsers/src/main/java/org/ > apache/metron/parsers/bro/JSONCleaner.java#L56> > in the keys if we can't index it (ES 2.3.3 does not allow periods in > indexes)? Would anybody be opposed to me modifying the bro parser to > rewrite "."s to "_"s for the short term, until we get ES upgraded > <https://issues.apache.org/jira/browse/METRON-939>? > > Jon > -- > > Jon >
