[
https://issues.apache.org/jira/browse/NIFI-4735?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16812600#comment-16812600
]
ASF subversion and git services commented on NIFI-4735:
-------------------------------------------------------
Commit e63a9d1e37244219e7685698796680e85a413bd4 in nifi's branch
refs/heads/support/nifi-1.9.x from Ferenc Szabó
[ https://gitbox.apache.org/repos/asf?p=nifi.git;h=e63a9d1 ]
NIFI-4735: ParseEVTX only outputs one event per chunk
This change is based on https://github.com/apache/nifi/pull/2489
I have reproduced the issue with some additional test cases and test files then
applied the original fix.
commit message from the original change:
Updated the EVTX FileHeader class to correctly check if there are more chunks
in the file. Previously this would not process the last chunk.
Updated the EVTX ChunkHeader class to correctly check if there are additional
records in the chunk. Previously this would only process the first record of
each chunk. It was using the fileLastRecordNumber where it should have been
using the logLastRecordNumber value.
Updated the EVTX unit tests to have the correct expected number of events and
use the logLastRecordNumber.
refactoring duplicated code and magic numbers
Signed-off-by: Matthew Burgess <mattyb...@apache.org>
This closes #2489
This closes #3379
> ParseEVTX only outputs one event per chunk
> ------------------------------------------
>
> Key: NIFI-4735
> URL: https://issues.apache.org/jira/browse/NIFI-4735
> Project: Apache NiFi
> Issue Type: Bug
> Components: Extensions
> Reporter: Terry Brugger
> Priority: Major
> Fix For: 1.10.0, 1.9.2
>
> Attachments: EVTX2XML.xml, Screen Shot 2018-01-03 at 15.06.24.png
>
> Time Spent: 50m
> Remaining Estimate: 0h
>
> I have constructed a simple pipeline that reads a Windows EVTX binary file,
> runs it through ParseEvtx, and writes out the result (template attached). As
> a sample I fed it a 192MiB file and it only output 3.3MiB (see screenshot).
> The output file contains 3071 events. Not coincidentally, I am sure,
> 192MiB/64KiB = 3072, which would indicate that it only wrote out one event
> from each chunk. If I configure the processor to output by the chunk or event
> I get 3071 separate files with one event each. Unfortunately, I have no way
> to sanitize binary EVTX so I cannot provide the actual file used.
> By way of comparison, I ran the same EVTX file through evtx_dump.py from the
> python-evtx package (which I understand ParseEvtx was based on) and it
> produced 395,757 events -- on par with what I would expect. It also took much
> longer than NiFi -- like 30 minutes versus a few seconds -- which I also
> expect is consistent with processing the entire file.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
