[
https://issues.apache.org/jira/browse/NIFI-4735?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Matt Burgess updated NIFI-4735:
-------------------------------
Affects Version/s: (was: 1.4.0)
Status: Patch Available (was: Open)
> ParseEVTX only outputs one event per chunk
> ------------------------------------------
>
> Key: NIFI-4735
> URL: https://issues.apache.org/jira/browse/NIFI-4735
> Project: Apache NiFi
> Issue Type: Bug
> Components: Extensions
> Reporter: Terry Brugger
> Priority: Major
> Attachments: EVTX2XML.xml, Screen Shot 2018-01-03 at 15.06.24.png
>
> Time Spent: 20m
> Remaining Estimate: 0h
>
> I have constructed a simple pipeline that reads a Windows EVTX binary file,
> runs it through ParseEvtx, and writes out the result (template attached). As
> a sample I fed it a 192MiB file and it only output 3.3MiB (see screenshot).
> The output file contains 3071 events. Not coincidentally, I am sure,
> 192MiB/64KiB = 3072, which would indicate that it only wrote out one event
> from each chunk. If I configure the processor to output by the chunk or event
> I get 3071 separate files with one event each. Unfortunately, I have no way
> to sanitize binary EVTX so I cannot provide the actual file used.
> By way of comparison, I ran the same EVTX file through evtx_dump.py from the
> python-evtx package (which I understand ParseEvtx was based on) and it
> produced 395,757 events -- on par with what I would expect. It also took much
> longer than NiFi -- like 30 minutes versus a few seconds -- which I also
> expect is consistent with processing the entire file.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
