[
https://issues.apache.org/jira/browse/METRON-2343?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17104653#comment-17104653
]
Jon Zeolla commented on METRON-2343:
------------------------------------
You should be able to do that upstream of the plugin as a part of the logging
framework, but I agree that it's not the cleanest approach. If you make a new
log stream (say, `conn_w_instance_info`), you can then add a new field to that
stream and have it only use the kafka writer writer. For your use case I
expect you wouldn't be able to use `Kafka::send_all_active_logs` unless you
include the unmodified logs via `Kafka::logs_to_exclude`.
We also already do a very similar thing for tagged JSON @
https://github.com/apache/metron-bro-plugin-kafka/blob/master/src/TaggedJSON.cc
so that approach could be updated to take some arbitrary context like
environment/instance information. Want to make sure my thought process is in
line with yours - any thoughts/feedback?
> Bro Kafka plugin - ability to dynamically modify JSON
> -----------------------------------------------------
>
> Key: METRON-2343
> URL: https://issues.apache.org/jira/browse/METRON-2343
> Project: Metron
> Issue Type: Wish
> Affects Versions: 0.3.0
> Reporter: Rich Irwin
> Priority: Major
>
> Desire to have the ability to modify Bro log JSON and add a field prior to
> producing to Kafka. There is an ability to add a field to the actual Bro
> log, however, this could be cumbersome on disk space. Furthermore, the field
> looking to be added only pertains to the destined data lake for analytical
> purposes.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
