Ryan Merriman created METRON-515: ------------------------------------ Summary: Stellar IS_EMPTY() function does not work as expected Key: METRON-515 URL: https://issues.apache.org/jira/browse/METRON-515 Project: Metron Issue Type: Bug Reporter: Ryan Merriman Assignee: Ryan Merriman
The "IS_EMPTY" Stellar function is not giving the correct result in some cases. Consider the following enrichment config: { "index": "bro", "batchSize": 5, "enrichment" : { "fieldMap": { "geo": ["ip_dst_addr", "ip_src_addr"], "host": ["host"] } }, "threatIntel": { "fieldMap": { "hbaseThreatIntel": ["ip_src_addr", "ip_dst_addr"] }, "fieldToTypeMap": { "ip_src_addr" : ["malicious_ip"], "ip_dst_addr" : ["malicious_ip"] }, "triageConfig" : { "riskLevelRules" : { "exists(ip_dst_addr)" : 0.10, "IS_EMPTY(rcode)" : 0.91, "exists(ip_dst_port)" : 0.20, "exists(ip_src_port)" : 0.30000000000 }, "aggregator" : "MAX", "aggregationConfig": { "NEGATIVE_VALUES_TRUMP_CONF" : "false" } } } } When a message with "rcode" = 0 is sent through the enrichment topology, the function incorrectly returns true and sets the threat triage value to 0.91. -- This message was sent by Atlassian JIRA (v6.3.4#6332)