Hi, The Profiler will consume messages from the input kafka topic defined in the Profiler's configuration (see Configuring the Profiler<https://github.com/apache/metron/tree/master/metron-analytics/metron-profiler#configuring-the-profiler>). By default, this is the indexing topic.
Thanks Mohan DV From: Simon Elliston Ball <[email protected]> Reply-To: "[email protected]" <[email protected]> Date: Tuesday, October 24, 2017 at 2:02 PM To: "[email protected]" <[email protected]> Subject: Re: ask about profiler rule The profiler reads direct from the ingest stream, so sees data before it gets to ES. The onlyif config you are asking about is a filter condition, so only data which matches that expression will be considered by this particular profile. The activedirectory example here assumes that you have a sensor setup from something like active directory, that has fields called user.name and event.type in. It will then count those failures per user.name. Simon On 24 Oct 2017, at 07:38, tkg_cangkul <[email protected]<mailto:[email protected]>> wrote: Hi, anybody can explained to me this rule of profiler config please ? { "profile": "failed-logins", "foreach": "user.name<http://user.name/>", "onlyif": "source.type == 'activedirectory' and event.type == 'failed_login'" "init": { "count": 0 }, "update": { "count" : "count + 1" }, "result": "count" } what is "source.type == 'activedirectory' and event.type == 'failed_login'" means? does it means the profiler will read from ES index that have condition source.type == 'activedirectory' . if yes, so i must index to ES first where source type = activedirectory ? I've just read on Nick article here : https://www.slideshare.net/NickAllen4/apache-metron-profiler In the other rules config there are "source.type == 'yaf'" , "source.type == 'bro'". What i know that "source.type == 'yaf'" & "source.type == 'bro'" have indexed by default on metron. how about activedirectory? Best Regards,
