[GitHub] incubator-metron issue #438: METRON-686 Record Rule Set that Fired During Th...

Github user james-sirota commented on the issue: https://github.com/apache/incubator-metron/pull/438 I think a better approach is to bake in an enforcement layer within Metron to only allow flat maps (key-value pairs where the value cannot be a complex object). You would enforce

[GitHub] incubator-metron pull request #449: METRON-701 Triage Metrics Produced by th...

Github user james-sirota commented on a diff in the pull request: https://github.com/apache/incubator-metron/pull/449#discussion_r100719426 --- Diff: metron-analytics/metron-profiler/src/main/java/org/apache/metron/profiler/bolt/KafkaDestinationHandler.java --- @@ -0,0 +1,78 @@

[GitHub] incubator-metron issue #450: METRON-690: Create a DSL-based timestamp lookup...

Github user james-sirota commented on the issue: https://github.com/apache/incubator-metron/pull/450 I think taking the string as an argument is really powerful, but it's also really flexible. "1 hour window every 24 hours starting from 14 days ago including the current day of the

[GitHub] incubator-metron issue #450: METRON-690: Create a DSL-based timestamp lookup...

Github user cestella commented on the issue: https://github.com/apache/incubator-metron/pull/450 The Readme additions were intended to break the expressions down into the possible phrases. Do you think those sections need to be structured differently? --- If your project is set up

[GitHub] incubator-metron pull request #451: METRON-157: Added CEF Parser

Github user trixpan commented on a diff in the pull request: https://github.com/apache/incubator-metron/pull/451#discussion_r100717512 --- Diff: metron-platform/metron-parsers/src/main/java/org/apache/metron/parsers/cef/CEFParser.java --- @@ -0,0 +1,274 @@ +/** + *

[GitHub] incubator-metron issue #450: METRON-690: Create a DSL-based timestamp lookup...

Github user james-sirota commented on the issue: https://github.com/apache/incubator-metron/pull/450 I think the API looks great. Can we provide a grammar in the comments for constructing the PROFILE_WINDOW function? I think the API is so flexible that it may be hard to wrap your

Re: [VOTE] Releasing Apache Metron (incubating) 0.3.1-RC4

+1. Staged in AWS and ran through initial sanity tests. Everything worked great Thanks, James 10.02.2017, 13:22, "Casey Stella" : > This is a call to vote on releasing Apache Metron 0.3.1-RC4 incubating > > Full list of changes in this release: >

[GitHub] incubator-metron pull request #451: METRON-157: Added CEF Parser

Github user james-sirota commented on a diff in the pull request: https://github.com/apache/incubator-metron/pull/451#discussion_r100716097 --- Diff: metron-platform/metron-parsers/src/test/java/org/apache/metron/parsers/cef/CEFParserTest.java --- @@ -0,0 +1,186 @@ +/** +

[GitHub] incubator-metron pull request #451: METRON-157: Added CEF Parser

Github user james-sirota commented on a diff in the pull request: https://github.com/apache/incubator-metron/pull/451#discussion_r100715818 --- Diff: metron-platform/metron-parsers/src/main/java/org/apache/metron/parsers/cef/CEFParser.java --- @@ -0,0 +1,274 @@ +/** + *

[GitHub] incubator-metron pull request #451: METRON-157: Added CEF Parser

Github user james-sirota commented on a diff in the pull request: https://github.com/apache/incubator-metron/pull/451#discussion_r100716155 --- Diff: metron-platform/metron-parsers/src/test/resources/org/apache/metron/parsers/cef/adallom.cef --- @@ -0,0 +1 @@

[GitHub] incubator-metron issue #452: Removed MySQL from Enrichment Diagram

Github user james-sirota commented on the issue: https://github.com/apache/incubator-metron/pull/452 +1 by inspection. thanks for catching this, simon --- If your project is set up for it, you can reply to this email and have your reply appear on GitHub as well. If your project does

[GitHub] incubator-metron issue #451: METRON-157: Added CEF Parser

Github user trixpan commented on the issue: https://github.com/apache/incubator-metron/pull/451 Seems ok to me. The only last comment which certainly is not a blocker (and if I read the code correctly, is already addressed

[GitHub] incubator-metron issue #447: METRON-708: Update metron documentation

Github user simonellistonball commented on the issue: https://github.com/apache/incubator-metron/pull/447 Diagram updated in https://github.com/apache/incubator-metron/pull/452 --- If your project is set up for it, you can reply to this email and have your reply appear on GitHub as

[GitHub] incubator-metron pull request #452: Removed MySQL from Enrichment Diagram

GitHub user simonellistonball opened a pull request: https://github.com/apache/incubator-metron/pull/452 Removed MySQL from Enrichment Diagram You can merge this pull request into a Git repository by running: $ git pull https://github.com/simonellistonball/incubator-metron

[GitHub] incubator-metron issue #451: METRON-157: Added CEF Parser

Github user simonellistonball commented on the issue: https://github.com/apache/incubator-metron/pull/451 Agreed, let's pull the date discussion into a wider forum. Apart from this, is there anything else you see in this parser specifically to block merging? --- If your project is

[GitHub] incubator-metron issue #451: METRON-157: Added CEF Parser

Github user trixpan commented on the issue: https://github.com/apache/incubator-metron/pull/451 Yep. I would say unless HPE clarifies Mmm being English only, providing the parsers with the ability to set locale would be ideal. And I didn't even mentioned that they use Zzz

[GitHub] incubator-metron issue #451: METRON-157: Added CEF Parser

Github user simonellistonball commented on the issue: https://github.com/apache/incubator-metron/pull/451 The joys of international date parsing, right? Seems like a the CEF standard is not the most well read among device vendors. A number of the 'from the wild' examples we've got in

[GitHub] incubator-metron issue #451: METRON-157: Added CEF Parser

Github user trixpan commented on the issue: https://github.com/apache/incubator-metron/pull/451 No. And under RFC 3164, Syslog's Mmm is English only but this certainty is not present in the CEF spec states MMM as SimpleDateFormat and makes no reference over locale. This in theory

[GitHub] incubator-metron pull request #451: METRON-157: Added CEF Parser

Github user simonellistonball commented on a diff in the pull request: https://github.com/apache/incubator-metron/pull/451#discussion_r100688919 --- Diff: metron-platform/metron-parsers/src/main/java/org/apache/metron/parsers/cef/CEFParser.java --- @@ -0,0 +1,272 @@ +/**

[GitHub] incubator-metron issue #451: METRON-157: Added CEF Parser

Github user simonellistonball commented on the issue: https://github.com/apache/incubator-metron/pull/451 Syslog timestamp capture looks to be locale sensitive here, though all other date parsing is SimpleDateFormat based, so should be robust to locale. Do you see this issue on

[GitHub] incubator-metron pull request #451: METRON-157: Added CEF Parser

Github user simonellistonball commented on a diff in the pull request: https://github.com/apache/incubator-metron/pull/451#discussion_r100688850 --- Diff: metron-platform/metron-parsers/src/test/resources/org/apache/metron/parsers/cef/cyberark.json --- @@ -0,0 +1,21 @@ +{