[
https://issues.apache.org/jira/browse/METRON-2330?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16986362#comment-16986362
]
Dima Kovalyov commented on METRON-2330:
---------------------------------------
Oh, I see, yeah that makes much more sense, thank you. I still wonder why the
specified profiler does not get committed either to HBase nor to ES.
When I define this one:
{code:java}
{
"profile": "distinct_auth_attempts_by_user",
"foreach": "user",
"onlyif": "source.type == 'auth' && auth_orientation != null &&
auth_orientation == 'LogOn' && user != null && LENGTH(user) > 0 && ip_dst_host
!= null && ip_dst_host != '?'",
"init": {
"total": "HLLP_INIT(5,6)"
},
"update": {
"total": "HLLP_ADD(total, ip_dst_host)"
},
"result": {
"profile": "total",
"triage": {
"total_count": "HLLP_CARDINALITY(total)"
}
}
}
{code}
It works just fine.
> Document Profiler "'global'" object
> -----------------------------------
>
> Key: METRON-2330
> URL: https://issues.apache.org/jira/browse/METRON-2330
> Project: Metron
> Issue Type: Improvement
> Affects Versions: 1.7.1
> Reporter: Dima Kovalyov
> Priority: Minor
>
> Dear Metron community,
>
> "[Statistics and Mathematical
> Functions|[https://metron.apache.org/current-book/metron-analytics/metron-statistics/index.html]]";
> page makes use of:
> {code:java}
> "foreach": "'global'"
> {code}
> But nowhere on the internet, I was able to find any description of what it
> is, how it's working and how to troubleshoot it.
> The page mentions "We will capture a global statistical state for the
> {{value}} field and we will look back for a 5 minute window when computing
> the median." from which I can guess that 'global' represents the entire
> message instead of any particular field.
> Can you please shed some more light on it?
> In the comments, I'll post an example of my restle with it.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
