[
https://issues.apache.org/jira/browse/METRON-941?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16006501#comment-16006501
]
ASF GitHub Bot commented on METRON-941:
---------------------------------------
Github user ctramnitz commented on the issue:
https://github.com/apache/incubator-metron/pull/579
I agree to both of your points, defining it with the final name from the
beginning would be more efficient and we should come up with a more normalized
and standardized field naming convention in general.
However, the second part is something for all parsers, not just this one,
so it's a little bit out of scope for this PR. In fact, this PR doesn't change
the concept of the previous code, it just makes the "intermediate" field names
more consistent by following the vendor documentation.
My suggestion would be to either merge this PR as-is or with
one-time-definition of already defined Metron field names. To follow-up on the
other topic we create a new Jira to define a normalized message format for all
parsers (and enrichments), with subtasks to adapt each of the parsers
(including this one).
> native PaloAlto parser corrupts message when having a comma in the payload
> --------------------------------------------------------------------------
>
> Key: METRON-941
> URL: https://issues.apache.org/jira/browse/METRON-941
> Project: Metron
> Issue Type: Bug
> Affects Versions: 0.4
> Environment: full-dev master
> Reporter: Christian Tramnitz
> Priority: Minor
>
> When a data field contains a comma (i.e. the URL, not too uncommon), the
> split(",") kicks in and the rest of the message if off by few fields due to
> positional definition.
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
