You could use the programmatic enrichment functions to do this. For
instance, say you wanted to look-up the impacted users in a company
'phonebook' to get more information.
'impacted-user-0": ENRICHMENT_GET(''phonebook", GET(user_ids, 0), "tb",
"cf")
'impacted-user-1": ENRICHMENT_GET(''phonebook", GET(user_ids, 1), "tb",
"cf")
"impacted-user-2": ENRICHMENT_GET(''phonebook", GET(user_ids, 2), "tb",
"cf")
Also note that there is an open JIRA to ensure that all of the index
destinations can handle complex types in the message JSON. This may or may
not impact your use case, but something to keep in mind.
https://issues.apache.org/jira/browse/METRON-735
On Sun, Apr 2, 2017 at 10:26 AM, Ali Nazemian <alinazem...@gmail.com> wrote:
> Hi all,
>
>
> I was wondering how I can achieve the following use case in the current
> version of Metron?
>
>
>
> I want to have attributes in the Metron JSON object that are an array.
> For example, if a threat is impacting multiple users, they are all
> contained in an attribute (e.g. user_id:[id1, id2, id3]). Now if I want
> to enrich the event with data that requires the user_id as a key in
> enrichment stored in HBASE, how would I do this?
>
>
> Cheers,
> Ali
>
