Github user nickwallen commented on a diff in the pull request:
https://github.com/apache/metron/pull/586#discussion_r123014881
--- Diff:
metron-deployment/packaging/ambari/metron-mpack/src/main/resources/common-services/METRON/CURRENT/package/files/bro_index.template
---
@@ -238,6 +238,538 @@
"qtype_name": {
"type": "string",
"index": "not_analyzed"
+ },
+ "analyzer": {
+ "type": "string",
+ "index": "not_analyzed"
+ },
+ "failure_reason": {
--- End diff --
It would be handy to know which fields in the template belong to which Bro
log source (DPD vs Conn). This might make it easier for users (and us) to
maintain or customize the template going forward. I can think of two possible
ways to do this, but maybe there are better ways.
**Option 1:** We can use multiple templates that get [merged into a single
final
template](https://www.elastic.co/guide/en/elasticsearch/reference/current/indices-templates.html#multiple-templates).
This would provide a nice, clean separation between the different log
sources. But it might take more effort than it is worth.
**Option 2:** We can embed `/* c-style block comments */` in the template
itself. We could throw a comment above each set of fields that pertain to a
given source. We could also maintain the handy links that you embedded in the
PR description.
```
/*
* DPD
*
https://www.bro.org/sphinx-git/scripts/base/frameworks/dpd/main.bro.html#type-DPD::Info
*/
"failure_reason": {
..
```
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---
