Github user simonellistonball commented on the issue:
https://github.com/apache/incubator-metron/pull/579
Yes, that makes sense, but does have some performance implications of
course. A single mapping would have much faster response, so I would question
the original approach (on which you are quite correct). I'm sure others will
chime in if there are benefits to the re-write the name approach that I'm
missing. Right now we only formally define a small number of the fields -
ip_(src|dest)_(addr|port) etc to have the metron format, but I would argue
things like nat_source_addr in this parser should follow the spirit of the
convention.
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at [email protected] or file a JIRA ticket
with INFRA.
---
