[
https://issues.apache.org/jira/browse/METRON-941?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16006461#comment-16006461
]
ASF GitHub Bot commented on METRON-941:
---------------------------------------
Github user simonellistonball commented on the issue:
https://github.com/apache/incubator-metron/pull/579
Yes, that makes sense, but does have some performance implications of
course. A single mapping would have much faster response, so I would question
the original approach (on which you are quite correct). I'm sure others will
chime in if there are benefits to the re-write the name approach that I'm
missing. Right now we only formally define a small number of the fields -
ip_(src|dest)_(addr|port) etc to have the metron format, but I would argue
things like nat_source_addr in this parser should follow the spirit of the
convention.
> native PaloAlto parser corrupts message when having a comma in the payload
> --------------------------------------------------------------------------
>
> Key: METRON-941
> URL: https://issues.apache.org/jira/browse/METRON-941
> Project: Metron
> Issue Type: Bug
> Affects Versions: 0.4
> Environment: full-dev master
> Reporter: Christian Tramnitz
> Priority: Minor
>
> When a data field contains a comma (i.e. the URL, not too uncommon), the
> split(",") kicks in and the rest of the message if off by few fields due to
> positional definition.
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
