[jira] [Commented] (METRON-701) Triage Metrics Produced by the Profiler

Wed, 22 Feb 2017 09:31:17 -0800 

    [ 
https://issues.apache.org/jira/browse/METRON-701?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15878803#comment-15878803
 ] 

ASF GitHub Bot commented on METRON-701:
---------------------------------------

Github user nickwallen commented on the issue:

    https://github.com/apache/incubator-metron/pull/449
  
    > You seem to be sending every profile into kafka, not just the configured 
ones
    
    Just for clarity, you can define the destination for each profile.  It 
defaults to a `"destination" : ["hbase", "kafka"]`.  For example, if I only 
wanted to send to HBase.
    ```
    {
       "profile": "profile-one-destination",
       "foreach": "ip_src_addr",
        "init":   { "x": "0" },
        "update": { "x": "x + 1" },
         "result": "x",
        "destination": ["hbase"]
    }
    ```
    
    But that is just a side point.  Your idea is really interesting.  We've 
talked before about having multiple result values, which I think is super 
useful.  I'll think on this a bit.  Thanks for the feedback.



> Triage Metrics Produced by the Profiler
> ---------------------------------------
>
>                 Key: METRON-701
>                 URL: https://issues.apache.org/jira/browse/METRON-701
>             Project: Metron
>          Issue Type: Improvement
>            Reporter: Nick Allen
>            Assignee: Nick Allen
>
> h3. Problem
> The motivating example is that I would like to create an alert if the number 
> of inbound flows to any host over a 15 minute interval is abnormal.  
> The value being interrogated here, the number of inbound flows, is not a 
> static value contained within any single telemetry message.  This value is 
> calculated across multiple messages by the Profiler.  The current Threat 
> Triage process cannot be used to interrogate values calculated by the 
> Profiler.
> h3. Proposed Solution
> I am proposing that we treat the Profiler as a source of telemetry.   The 
> measurements captured by the Profiler would be enqueued into a Kafka topic.  
> We would then treat those Profiler messages like any other telemetry.  We 
> would parse, enrich, triage, and index those messages.
> This would have the following advantages.
> 1.  We would be able to reuse the same threat triage mechanism for values 
> calculated by the Profiler.
> 2.  We would be able to generate profiles from the profiled data - aka 
> meta-profiles anyone? 



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

Reply via email to