Re: SUM aggregator not working?

I think until we officially migrate to ES 5.x you should write code that would be compatible with ES 2.x (if you want that code to be generally consumable by the Metron community). 04.10.2017, 18:04, "Laurens Vets" : > It's working now, so I'm happy :) > > On 2017-10-04

Re: SUM aggregator not working?

It's working now, so I'm happy :) On 2017-10-04 14:03, Casey Stella wrote: Ok, so this is subtle. Your rules are wrong and I totally understand why you thought they were right. When we index into ES, we take . and convert them to :, however PRIOR to indexing (when threat triage is running)

Re: SUM aggregator not working?

You're right, with ES 5 we can use periods directly instead of transforming them in indexing to colons (actually, this feature was reintroduced sin 2.4 ). I outlined this as a benefit in the original JIRA

Re: SUM aggregator not working?

Ok, so this is subtle. Your rules are wrong and I totally understand why you thought they were right. When we index into ES, we take . and convert them to :, however PRIOR to indexing (when threat triage is running) those fields have .'s not :'s Therefore, your rules should be:

SUM aggregator not working?

No idea whether it's a bug yet, I just need a 2nd set of eyes :) This is my event as indexed in ES (Obviously some parts have been obfuscated): { "_index": "cloudtrail_index_2017.10.04.19", "_type": "cloudtrail_doc", "_id": "95617686-bd39-46ff-b5c0-db3aeb5b6bab", "_score": null,