[
https://issues.apache.org/jira/browse/METRON-941?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16038701#comment-16038701
]
ASF GitHub Bot commented on METRON-941:
---------------------------------------
Github user ctramnitz commented on the issue:
https://github.com/apache/metron/pull/579
I'm running this myself and actively parsing PaloAlto logs with this change
for about 3 weeks. You can also see that the changes are fairly trivial and
that structure and naming follows the vendors specifications.
I understand your concerns about the missing unit tests, but, as mentioned
before, unit testing was completely non functional before, I didn't even
remotely touch it. You basically have the choice of not merging this, resulting
in having no unit test and a broken parser, or merging it with still no unit
test but having a working parser. As I already discussed for METRON-962 I can
provide sample logs for unit testing.
> native PaloAlto parser corrupts message when having a comma in the payload
> --------------------------------------------------------------------------
>
> Key: METRON-941
> URL: https://issues.apache.org/jira/browse/METRON-941
> Project: Metron
> Issue Type: Bug
> Affects Versions: 0.4
> Environment: full-dev master
> Reporter: Christian Tramnitz
> Priority: Minor
>
> When a data field contains a comma (i.e. the URL, not too uncommon), the
> split(",") kicks in and the rest of the message if off by few fields due to
> positional definition.
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
