[
https://issues.apache.org/jira/browse/METRON-515?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Otto Fowler updated METRON-515:
-------------------------------
Comment: was deleted
(was: [~rmerriman] can you clarify what you mean?
Right now
No args passed = true
String or collection evaluated
Not string or collection = true
If you expect the integer 0 to not be true even though it is not a valid
parameter then is the expectation what I have above? Is your point that it is
a 0? I don't see how we can have an integer passed in and have it ever _be_
false. If it is null then there is no are and it is true. If it exists, it is
not a valid parameter, unless we treat integer types specially as above.
)
> Stellar IS_EMPTY() function does not work as expected
> -----------------------------------------------------
>
> Key: METRON-515
> URL: https://issues.apache.org/jira/browse/METRON-515
> Project: Metron
> Issue Type: Bug
> Reporter: Ryan Merriman
> Assignee: Ryan Merriman
>
> The "IS_EMPTY" Stellar function is not giving the correct result in some
> cases. Consider the following enrichment config:
> {
> "index": "bro",
> "batchSize": 5,
> "enrichment" : {
> "fieldMap": {
> "geo": ["ip_dst_addr", "ip_src_addr"],
> "host": ["host"]
> }
> },
> "threatIntel": {
> "fieldMap": {
> "hbaseThreatIntel": ["ip_src_addr", "ip_dst_addr"]
> },
> "fieldToTypeMap": {
> "ip_src_addr" : ["malicious_ip"],
> "ip_dst_addr" : ["malicious_ip"]
> },
> "triageConfig" : {
> "riskLevelRules" : {
> "exists(ip_dst_addr)" : 0.10,
> "IS_EMPTY(rcode)" : 0.91,
> "exists(ip_dst_port)" : 0.20,
> "exists(ip_src_port)" : 0.30000000000
> },
> "aggregator" : "MAX",
> "aggregationConfig":
> {
> "NEGATIVE_VALUES_TRUMP_CONF" : "false"
> }
> }
> }
> }
> When a message with "rcode" = 0 is sent through the enrichment topology, the
> function incorrectly returns true and sets the threat triage value to 0.91.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
