Github user mmiklavc commented on the issue:
https://github.com/apache/metron/pull/995
> This causes a problem in our DAO layer because we don't do partial
updates (we reindex the whole document) and these expanded fields are included
in the updated document.
@merrimanr Can you elaborate on this a bit? I'm not sure I follow the full
scope of the problem. Per @ottobackwards comment, would new fields introduced
by parsers also cause issues? What are the parameters around when a user would
"step in it?" What prophylaxis do we need to ensure, or at least reduce the
risk, that this can happen for other fields?
This makes me think of another topic that's been discussed recently about
message envelopes (e.g. syslog and parser chaining) that potentially wrap
multiple other log types that need to be parsed. If the wrapped messages all
routed to the same index, is that a problem?
---
