tuning search query on alert UI

Hi, is there any ways to optimize search query on Alert UI ? i try to query all data on my alert UI but the proccess run too slow. especially on my first execute search button. sometimes i had “request time out” from the response. pls advice, Best Regards, tkg_cangkul

[ask] create profile for profiler with multiple fields on foreach

Hi, it is possible to use multiple fields inside foreach on profiler ? i’ve try using AND like below but it failed. pls help { "profiles": [ { "profile": "hello-world", "onlyif": "exists(ip_src_addr) AND exists(ip_dst_addr)", "foreach": "ip_src_addr AND ip_dst_addr,

multiple pattern grok parser in 1 file

Hi, is that possible to using multiple pattern grok parser ini 1 pattern file? i’m trying to parsing authlog file in /var/log/secure into metron. the problem is there are different structures of logs inside /var/log/secure. any suggest for this pls? Best Regards,

Re: profiler logs

hi all, thx for your reply. my profiler has been succeed now. thanks for your help guys On Sun, 22 Oct 2017 at 03.53 Otto Fowler wrote: > Is that available in the version he is using? > > > On October 21, 2017 at 08:23:01, Nick Allen (n...@nickallen.org) wrote: > > Did

Re: event correlation on metron

ed host_dhcp and a > sensor called host_dhcp with the relevant grok pattern. > > Simon > > > On 17 Oct 2017, at 19:19, Youzha <yuza.ras...@gmail.com> wrote: > > that’s what i mean. > what sensor that i need if i want to do this case? > especially when i wanna parse some

Re: event correlation on metron

rser topology. > > Simon > > > On 17 Oct 2017, at 19:00, Youzha <yuza.ras...@gmail.com> wrote: > > after nifi procces : > > TAILFILE -> TRANSFORM_TO_GROK -> PUSH_KAFKA > > what metron topology that i can use to procces the data in kafka? so it > can be e

Re: event correlation on metron

telemetry and proccess it so i can use it to event correlation On Tue, 17 Oct 2017 at 23.11 Laurens Vets <laur...@daemon.be> wrote: > Hi Youzha, > > Either check how the snort logs on the full dev installation are ingested > (I believe it's with a script) or check the Apache NiFi p

Fwd: event correlation on metron

-- Forwarded message - From: Youzha <yuza.ras...@gmail.com> Date: Tue, 17 Oct 2017 at 22.53 Subject: Re: event correlation on metron To: <user@metron.apache.org> is it possible to ingest other logs like /var/log/secure for example to be new telemetry on metro

Re: event correlation on metron

is it possible to ingest other logs like /var/log/secure for example to be new telemetry on metron? i’ve seen the metron architecture on the website like picture below. host logs, email, av, etc can be telemetry event buffer on metron. if this possible, could you give me some suggestion how to do

Re: metron dashboard timeout when loads many data

so i must restart the datanodes one by one. and set only one master node right? Ok i got it. thank you so much James for your explanation. i will try it soon. On Thu, 12 Oct 2017 at 21.55 James Sirota wrote: > You have to restart the ES cluster in a rolling fashion. Meaning