[
https://issues.apache.org/jira/browse/METRON-590?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15767165#comment-15767165
]
ASF GitHub Bot commented on METRON-590:
---------------------------------------
Github user cestella commented on the issue:
https://github.com/apache/incubator-metron/pull/395
I also wanted to mention one of the reasons I am particularly sensitive to
having multiple components that do *very nearly* the same thing. I made this
mistake early on in the project (and will probably make it again, because..you
know, I don't learn ;).
Stellar started as a predicate language only for threat triage rules. As
such, when the task of creating Field Transformations came to me, I needed
something like Stellar except I needed it to return arbitrary objects, rather
than just booleans. In my infinite wisdom, I chose to fork the language,
create a second, more specific DSL for field transformations, thereby creating
"Metron Query Language" and "Metron Transformation Language."
I felt a nagging feeling at the time that I should just expand the query
language, but I convinced myself that it would require too much testing and it
would be a change that was too broad in scope. It took 3 months for me to get
around to unifying those languages and if we had more people using it, it would
have been an absolute nightmare. This may be a "once bitten, twice shy" thing,
but I think it's a good policy in general. Pardon the interlude; just wanted
to give some context.
> Enable Use of Event Time in Profiler
> ------------------------------------
>
> Key: METRON-590
> URL: https://issues.apache.org/jira/browse/METRON-590
> Project: Metron
> Issue Type: Improvement
> Reporter: Nick Allen
> Assignee: Nick Allen
>
> There are at least two different times that are important to consider when
> handling the telemetry messages received by Metron.
> (1) Processing time is the time at which Metron processed the message.
> (2) Event time is the time at which the event actually occurred.
> If Metron is consuming live data and all is well, the processing and event
> times may remain close and consistent. When processing time differs from
> event time the data produced by the Profiler may be inaccurate. There are a
> few scenarios under which these times might differ greatly which would
> negatively impact the feature set produced by the Profiler.
> (1) When the system has experienced an outage, for example, a scheduled
> maintenance window. When restarted a high volume of messages will need to be
> processed by the Profiler. The output of the Profiler will indicate an
> increase in activity, although no change in activity actually occurred on the
> target network. This could happen whether the outage was Metron itself or an
> upstream system that feeds data to Metron.
> (2) If the user attempts to replay historical telemetry through the Profiler,
> the Profiler will attribute the activity to the time period in which it was
> processed. Obviously the activity should be attributed to the time period in
> which the raw telemetry events originated in.
> There are some scenarios when processing time might be preferred and other
> use cases where event time is preferred. The Profiler should be enhanced to
> allow it to produce profiles based on either processing time or event time.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
