Github user nickwallen commented on a diff in the pull request:

    https://github.com/apache/metron/pull/586#discussion_r123012618
  
    --- Diff: 
metron-deployment/packaging/ambari/metron-mpack/src/main/resources/common-services/METRON/CURRENT/package/files/bro_index.template
 ---
    @@ -238,6 +238,538 @@
             "qtype_name": {
               "type": "string",
               "index": "not_analyzed"
    +        },
    +        "analyzer": {
    +          "type": "string",
    +          "index": "not_analyzed"
    +        },
    +        "failure_reason": {
    +          "type": "string",
    +          "index": "not_analyzed"
    +        },
    +        "user": {
    +          "type": "string",
    +          "index": "not_analyzed"
    +        },
    +        "password": {
    +          "type": "string",
    +          "index": "not_analyzed"
    +        },
    +        "command": {
    +          "type": "string",
    +          "index": "not_analyzed"
    +        },
    +        "arg": {
    +          "type": "string",
    +          "analyzer": "simple"
    +        },
    +        "mime_type": {
    +          "type": "string",
    +          "analyzer": "simple"
    +        },
    +        "file_size": {
    +          "type": "long"
    +        },
    +        "reply_code": {
    +          "type": "integer"
    +        },
    +        "reply_msg": {
    +          "type": "string",
    +          "index": "not_analyzed"
    +        },
    +        "data_channel:passive": {
    +          "type": "boolean"
    +        },
    +        "data_channel:orig_h": {
    +          "type": "ip"
    +        },
    +        "data_channel:resp_h": {
    +          "type": "ip"
    +        },
    +        "data_channel:resp_p": {
    +          "type": "integer"
    +        },
    +        "cwd": {
    +          "type": "string",
    +          "analyzer": "simple"
    +        },
    +        "passive": {
    +          "type": "boolean"
    +        },
    +        "capture_password": {
    +          "type": "boolean"
    +        },
    +        "fuid": {
    +          "type": "string",
    +          "index": "not_analyzed"
    +        },
    +        "conn_uids": {
    +          "type": "string",
    +          "analyzer": "simple"
    +        },
    +        "source": {
    +          "type": "string",
    +          "index": "not_analyzed"
    +        },
    +        "depth": {
    +          "type": "integer"
    +        },
    +        "analyzers": {
    +          "type": "string",
    +          "analyzer": "simple"
    +        },
    +        "filename": {
    +          "type": "string",
    +          "index": "not_analyzed"
    +        },
    +        "duration": {
    +          "type": "float"
    +        },
    +        "local_orig": {
    +          "type": "boolean"
    +        },
    +        "is_orig": {
    +          "type": "boolean"
    +        },
    +        "seen_bytes": {
    +          "type": "long"
    +        },
    +        "total_bytes": {
    +          "type": "long"
    +        },
    +        "missing_bytes": {
    +          "type": "long"
    +        },
    +        "overflow_bytes": {
    +          "type": "long"
    +        },
    +        "timedout": {
    +          "type": "boolean"
    +        },
    +        "parent_fuid": {
    +          "type": "string",
    +          "index": "not_analyzed"
    +        },
    +        "md5": {
    +          "type": "string",
    +          "index": "not_analyzed"
    +        },
    +        "sha1": {
    +          "type": "string",
    +          "index": "not_analyzed"
    +        },
    +        "sha256": {
    +          "type": "string",
    +          "index": "not_analyzed"
    +        },
    +        "port_num": {
    +          "type": "integer"
    +        },
    +        "subject": {
    +          "type": "string",
    +          "analyzer": "simple"
    +        },
    +        "issuer_subject": {
    +          "type": "string",
    +          "analyzer": "simple"
    +        },
    +        "serial": {
    +          "type": "string",
    +          "index": "not_analyzed"
    +        },
    +        "helo": {
    +          "type": "string",
    +          "analyzer": "simple"
    +        },
    +        "mailfrom": {
    +          "type": "string",
    +          "analyzer": "simple"
    +        },
    +        "rcptto": {
    +          "type": "string",
    +          "analyzer": "simple"
    +        },
    +        "date": {
    +          "type": "string",
    +          "index": "not_analyzed"
    +        },
    +        "from": {
    +          "type": "string",
    +          "analyzer": "simple"
    +        },
    +        "to": {
    +          "type": "string",
    +          "analyzer": "simple"
    +        },
    +        "reply_to": {
    +          "type": "string",
    +          "analyzer": "simple"
    +        },
    +        "msg_id": {
    +          "type": "string",
    +          "index": "not_analyzed"
    +        },
    +        "in_reply_to": {
    +          "type": "string",
    +          "index": "not_analyzed"
    +        },
    +        "x_originating_ip": {
    +          "type": "ip"
    +        },
    +        "first_received": {
    +          "type": "string",
    +          "analyzer": "simple"
    +        },
    +        "second_received": {
    +          "type": "string",
    +          "analyzer": "simple"
    +        },
    +        "last_reply": {
    +          "type": "string",
    +          "analyzer": "simple"
    +        },
    +        "path": {
    +          "type": "string",
    +          "index": "not_analyzed"
    +        },
    +        "tls": {
    +          "type": "boolean"
    +        },
    +        "fuids": {
    +          "type": "string",
    +          "index": "not_analyzed"
    +        },
    +        "is_webmail": {
    +          "type": "boolean"
    +        },
    +        "version": {
    +          "type": "string",
    +          "index": "not_analyzed"
    +        },
    +        "cipher": {
    +          "type": "string",
    +          "index": "not_analyzed"
    +        },
    +        "curve": {
    +          "type": "string",
    +          "index": "not_analyzed"
    +        },
    +        "server_name": {
    +          "type": "string",
    +          "index": "not_analyzed"
    +        },
    +        "resumed": {
    +          "type": "boolean"
    +        },
    +        "last_alert": {
    +          "type": "string",
    +          "index": "not_analyzed"
    +        },
    +        "next_protocol": {
    --- End diff --
    
    Should I expect to see every field in each of the supported log sources 
defined in the template?
    
    I quickly spot-checked DPD and I don't see `proto`, `disabled_aids` or 
`packet_segment` defined in the template.  I believe these are all valid fields 
that a user could get as part of the [DPD 
record](https://www.bro.org/sphinx-git/scripts/base/frameworks/dpd/main.bro.html#type-DPD::Info).
    
    Let me know if my assumption is wrong.


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---

Reply via email to