Github user cestella commented on the pull request:
https://github.com/apache/incubator-metron/pull/131#issuecomment-222363251
The way to validate this is to
* Create a second column family on the enrichment HBase table, say `cf1`
* Push some enrichment data into the table in that column family.
Something similar to the malicious IP's from the blog post. I'd suggest
calling the enrichment type `malicious_ip`
* Modify the configs for one of the topologies you want to test in
`/usr/metron/0.1BETA/config/zookeeper/enrichment` to add a `config` section
under `threatIntel` marking that `malicious_ip` should come from column family
`cf1` like the following
```
{
"index": "bro",
"batchSize": 5,
"threatIntel": {
"fieldMap": {
"hbaseThreatIntel" : [ "ip_dst_addr" ]
},
"fieldToTypeMap": {
"ip_dst_addr" : [ "malicious_ip" ]
},
"config" : {
"typeToColumnFamily" : {
"malicious_ip" : "cf1"
}
}
}
}
```
* Run some data through and ensure that enrichments still exist.
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---
