For experimenting or validating specific Stellar expressions, the Stellar
Shell is perfect.  To do this, you just have to remember than when your
Stellar expressions execute all of the fields of the message are in-scope.

For example, here is a quick session where I mock-up some logic that sends
a message to Triage if a hypothetical "count" field is greater than 22.  In
this example, I expect my telemetry to look-like the following.

{
  "ip_src_addr": "10.0.0.2",
  "ip_dst_addr": "10.0.0.3",
  "ip_src_port": "22",
  "ip_dst_port": "12345",
  "source.type": "bro",
  "count": "22"
}


Like I said, when my Stellar expression executes each of the fields from
the message are in-scope as variables.  To replicate this in the shell, all
I have to do is create those variables as I would expect them to exist in
the telemetry.

[Stellar]>>>
[Stellar]>>> ip_src_addr := "10.0.0.2"
[Stellar]>>> ip_dst_addr := "10.0.0.3"
[Stellar]>>> ip_src_port := 22
[Stellar]>>> ip_dst_port := 12345
[Stellar]>>> source.type := "bro"
[Stellar]>>> count := 22
[Stellar]>>> is_alert := if count > 22 then true else false
[Stellar]>>> is_alert

false

This session helped me validate the `is_alert` expression that I will add
as an enrichment expression.

Hope that answered at least some of your questions.




On Tue, Jul 4, 2017 at 10:23 AM, Ali Nazemian <alinazem...@gmail.com> wrote:

> Hi Simon,
>
> Yeah, it does, but we are looking for a way to mock a specific message and
> check some post-parse/enrichments stuff. Is that achievable via Stellar
> shell? Right now we are checking that either through end-to-end testing, or
> changing flux files to check them section by section. Unfortunately, both
> approaches are time-consuming. We are using the Stellar shell for only
> checking the validity of Stellar functions one by one right now.
>
> Suppose there is an approach we can define a JSON object as an output of a
> parser. Then, we can apply a set of post-parsing and enrichment process on
> that JSON object and check the output. Is that achievable via Stellar
> shell? Do you have any sample that we can follow to understand Stellar
> shell capabilities for this scenario? Is there any other approach to check
> that through writing Java test-cases? Righting test-cases would be easier
> for keeping track of changes.
>
> Cheers,
> Ali
>
>
> On Wed, Jul 5, 2017 at 12:06 AM, Simon Elliston Ball <
> si...@simonellistonball.com> wrote:
>
> > You should probably use the Stellar REPL (../metron/bin/stellar -z $ZK)
> > which gives you a kind of Stellar playground.
> >
> > Simon
> >
> > > On 4 Jul 2017, at 15:02, Ali Nazemian <alinazem...@gmail.com> wrote:
> > >
> > > Hi all,
> > >
> > > I was wondering if there is a test framework we can use for Stellar
> > > post-parsing and enrichment use cases. It is very time-consuming to
> > verify
> > > use cases end-to-end. Therefore, I am looking for a way of mocking use
> > > cases step by step to speed up our development.
> > >
> > > Regards,
> > > Ali
> >
> >
>
>
> --
> A.Nazemian
>

Reply via email to