Ok, so yeah, you've hit upon a limitation currently. Right now, via Stellar you can use ENRICHMENT_GET which takes the following parameters:
- enrichment_type - The enrichment type - indicator - The string indicator to look up - hbase_table - The HBase Table to use - column_family - The Column Family to use Right now we only accept a string for the indicator (which likely would be your user_id). You'd probably like to call ENRICHMENT_GET for each id in the user_id variable. We can't quite do that yet. There has been some talk about a MAP function created where you can apply a stellar function across a list of values. i.e. MAP( user_id, @ENRICHMENT_GET('et', $, 'enrichments', 't')) which would return a list containing the output of ENRICHMENT_GET for each call. There is another, more immediate change that could be made for this specific case. We could enable ENRICHMENT_GET to take a list of indicators as the second argument. Sorry, that doesn't exactly solve your problem in the immediate-case, but it provides some context for future fixes. ;) I don't suppose you know the length of the list beforehand, right? Even the maximum size? Casey On Sun, Apr 2, 2017 at 10:26 AM, Ali Nazemian <alinazem...@gmail.com> wrote: > Hi all, > > > I was wondering how I can achieve the following use case in the current > version of Metron? > > > > I want to have attributes in the Metron JSON object that are an array. > For example, if a threat is impacting multiple users, they are all > contained in an attribute (e.g. user_id:[id1, id2, id3]). Now if I want > to enrich the event with data that requires the user_id as a key in > enrichment stored in HBASE, how would I do this? > > > Cheers, > Ali >