[jira] [Commented] (METRON-701) Triage Metrics Produced by the Profiler

[ASF GitHub Bot (JIRA)]

    [ 
https://issues.apache.org/jira/browse/METRON-701?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15878847#comment-15878847
 ] 

ASF GitHub Bot commented on METRON-701:
---------------------------------------

Github user nickwallen commented on the issue:

    https://github.com/apache/incubator-metron/pull/449
  
    Still thinking through the implications, but it looks pretty clean and 
intuitive this way (at least more intuitive).  
    ```
    {
      "profiles": [
        {
          "profile": "test",
          "foreach": "'global'",
          "onlyif": "source.type == 'squid'",
          "update":  { "stats": "STATS_ADD(stats, LENGTH(url))" },
          "result":  {
             "profile" : "stats",
             "triage" : "{ 'mean' : 'STATS_MEAN(stats)', 'stddev' : 
'STATS_SD(stats)' }"
           }     
        }
      ]
    }
    ```
    
    Maybe even get rid of "result" altogether?
    ```
    {
      "profiles": [
        {
          "profile": "test",
          "foreach": "'global'",
          "onlyif": "source.type == 'squid'",
          "update":  { "stats": "STATS_ADD(stats, LENGTH(url))" },
          "profile" : "stats",
          "triage" : "{ 'mean' : 'STATS_MEAN(stats)', 'stddev' : 
'STATS_SD(stats)' }"
        }
      ]
    }
    ```



> Triage Metrics Produced by the Profiler
> ---------------------------------------
>
>                 Key: METRON-701
>                 URL: https://issues.apache.org/jira/browse/METRON-701
>             Project: Metron
>          Issue Type: Improvement
>            Reporter: Nick Allen
>            Assignee: Nick Allen
>
> h3. Problem
> The motivating example is that I would like to create an alert if the number 
> of inbound flows to any host over a 15 minute interval is abnormal.  
> The value being interrogated here, the number of inbound flows, is not a 
> static value contained within any single telemetry message.  This value is 
> calculated across multiple messages by the Profiler.  The current Threat 
> Triage process cannot be used to interrogate values calculated by the 
> Profiler.
> h3. Proposed Solution
> I am proposing that we treat the Profiler as a source of telemetry.   The 
> measurements captured by the Profiler would be enqueued into a Kafka topic.  
> We would then treat those Profiler messages like any other telemetry.  We 
> would parse, enrich, triage, and index those messages.
> This would have the following advantages.
> 1.  We would be able to reuse the same threat triage mechanism for values 
> calculated by the Profiler.
> 2.  We would be able to generate profiles from the profiled data - aka 
> meta-profiles anyone? 



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)