[
https://issues.apache.org/jira/browse/METRON-1494?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16411336#comment-16411336
]
ASF GitHub Bot commented on METRON-1494:
----------------------------------------
Github user nickwallen commented on the issue:
https://github.com/apache/metron/pull/967
The problem is somewhere in Storm's windowing functionality. The time that
it initially recognizes is too far in the future and causes it to mark the
messages sent in as expired. This only occurs intermittently.
Here you can see test messages generated with the last timestamp being
1521756035817.
```
2018-03-22 22:00:35 DEBUG ProfileSplitterBolt:201 - Found 0 route(s) for
message with timestamp=1521756035759
2018-03-22 22:00:35 DEBUG ProfileSplitterBolt:201 - Found 0 route(s) for
message with timestamp=1521756035802
2018-03-22 22:00:35 DEBUG ProfileSplitterBolt:201 - Found 0 route(s) for
message with timestamp=1521756035806
2018-03-22 22:00:35 DEBUG ProfileSplitterBolt:195 - Found route for
message; profile=example2, entity=10.0.0.2, timestamp=1521756035807
2018-03-22 22:00:35 DEBUG ProfileSplitterBolt:201 - Found 1 route(s) for
message with timestamp=1521756035807
2018-03-22 22:00:35 DEBUG ProfileSplitterBolt:195 - Found route for
message; profile=example2, entity=10.0.0.2, timestamp=1521756035808
2018-03-22 22:00:35 DEBUG ProfileSplitterBolt:201 - Found 1 route(s) for
message with timestamp=1521756035808
2018-03-22 22:00:35 DEBUG ProfileSplitterBolt:195 - Found route for
message; profile=example2, entity=10.0.0.2, timestamp=1521756035813
2018-03-22 22:00:35 DEBUG ProfileSplitterBolt:201 - Found 1 route(s) for
message with timestamp=1521756035813
2018-03-22 22:00:35 DEBUG ProfileSplitterBolt:195 - Found route for
message; profile=example2, entity=10.0.0.3, timestamp=1521756035814
2018-03-22 22:00:35 DEBUG ProfileSplitterBolt:201 - Found 1 route(s) for
message with timestamp=1521756035814
2018-03-22 22:00:35 DEBUG ProfileSplitterBolt:195 - Found route for
message; profile=example2, entity=10.0.0.3, timestamp=1521756035816
2018-03-22 22:00:35 DEBUG ProfileSplitterBolt:201 - Found 1 route(s) for
message with timestamp=1521756035816
2018-03-22 22:00:35 DEBUG ProfileSplitterBolt:195 - Found route for
message; profile=example2, entity=10.0.0.3, timestamp=1521756035817
2018-03-22 22:00:35 DEBUG ProfileSplitterBolt:201 - Found 1 route(s) for
message with timestamp=1521756035817
```
The first timestamp that Storm recognizes is 1521756041122, which is 5.3
seconds ahead of the latest timestamp in the data.
```
2018-03-22 22:00:41 DEBUG WindowManager:189 - Scan events, eviction policy
TimeEvictionPolicy{windowLength=5000, referenceTime=1521756041122}
```
Storm then marks these messages as expired and the Profiler never sees them.
```
2018-03-22 22:00:41 DEBUG WindowManager:212 - [6] events expired from
window.
2018-03-22 22:00:41 DEBUG WindowManager:214 - invoking
windowLifecycleListener.onExpiry
2018-03-22 22:00:41 DEBUG WindowManager:147 - No events in the window,
skipping onActivation
```
Epic test failure.
> Profiler Emits Messages to Kafka When Not Needed
> ------------------------------------------------
>
> Key: METRON-1494
> URL: https://issues.apache.org/jira/browse/METRON-1494
> Project: Metron
> Issue Type: Bug
> Affects Versions: 0.4.2
> Reporter: Nick Allen
> Assignee: Nick Allen
> Priority: Major
> Fix For: Next + 1
>
>
> Using the 'result/triage' expression allows you to send profile data to
> Kafka. This allows you to leverage the Threat Triage functionality against
> data coming out of the Profiler.
> If there is no 'result/triage' expression, then nothing should be sent to
> Kafka. Currently, a message containing some data, but no actual profile
> value, is sent to Kafka.
>
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
