Thank you very much, Nick. I was not aware of the fact that Metron does not
support the multi-value attribute. So, in this case, I need to have a
Stellar function to deal with splitting data and mapping to enrichment CF.
Is that correct?
Regards,
Ali
On Mon, Apr 3, 2017 at 6:31 AM, Nick Allen <n...@nickallen.org> wrote:
> You could use the programmatic enrichment functions to do this. For
> instance, say you wanted to look-up the impacted users in a company
> 'phonebook' to get more information.
>
> 'impacted-user-0": ENRICHMENT_GET(''phonebook", GET(user_ids, 0), "tb",
> "cf")
>
> 'impacted-user-1": ENRICHMENT_GET(''phonebook", GET(user_ids, 1), "tb",
> "cf")
>
> "impacted-user-2": ENRICHMENT_GET(''phonebook", GET(user_ids, 2), "tb",
> "cf")
>
>
> Also note that there is an open JIRA to ensure that all of the index
> destinations can handle complex types in the message JSON. This may or may
> not impact your use case, but something to keep in mind.
>
> https://issues.apache.org/jira/browse/METRON-735
>
>
>
>
>
> On Sun, Apr 2, 2017 at 10:26 AM, Ali Nazemian <alinazem...@gmail.com>
> wrote:
>
>> Hi all,
>>
>>
>> I was wondering how I can achieve the following use case in the current
>> version of Metron?
>>
>>
>>
>> I want to have attributes in the Metron JSON object that are an array.
>> For example, if a threat is impacting multiple users, they are all
>> contained in an attribute (e.g. user_id:[id1, id2, id3]). Now if I want
>> to enrich the event with data that requires the user_id as a key in
>> enrichment stored in HBASE, how would I do this?
>>
>>
>> Cheers,
>> Ali
>>
>
>
--
A.Nazemian
